FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » BB type posting - is this secure?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: BB type posting - is this secure? [message #176408 is a reply to message #176398] Wed, 04 January 2012 07:24 Go to previous message
Curtis Dyer is currently offline  Curtis Dyer
Messages: 34
Registered: January 2011
Karma:
Member
Michael Joel <no(at)please(dot)com> wrote:

> On Fri, 30 Dec 2011 10:59:46 +0100, "Álvaro G. Vicario"
> <alvaro(dot)NOSPAMTHANX(at)demogracia(dot)com(dot)invalid> wrote:
>
>> El 29/12/2011 23:45, Michael Joel escribió/wrote:
>>> I am allowing posts to the page and wanted to see if this is
>>> secure.
>>>
>>> data from sql is placed in an array (say $MyArray):
>>>
>>> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));

[I'm including some of what Álvaro wrote for sufficient context:]

>> What sense does it make to strip slashes in data that comes
>> from a database? If stored data is valid, this will basically
>> corrupt it as soon as it contains a backslash:

> .......... SNIP ................
>
>
> Sorry I did not make it clear.
>
> stripslashes is used as it comes out of the db, addslashes are
> used as it goes in (but as mention mysql_real_escape_string is
> to be used).

The use of stripslashes() on DB output is not needed when properly
sanitized data is inserted into the DB in the first place. It
seems like you're misunderstanding the process.

In my experience, it's best to store data in the DB exactly as the
users provide it. We sanitize the data as a necessary step to
prevent arbitrary and malicious SQL from being executed. Upon
retrieving the data for output, none of the artifacts remain from
the sanitization step.

This is a simplified model of how you might conceptualize handling
the data.

Incoming data
Sanitization (e.g., prepared statements)
|
V

Database
|
V

Outgoing data
Escape data (e.g. htmlspecialchars())

You might well do something else with the outgoing data. It
depends on what you're doing. Álvaro demonstrates upthread.

> Someone else also claimed the strip_tags($MyString, "<br>");
> will strip <br> - but it does not. Maybe it will <br /> but then
> just change it to "<br><br />"

If you're referring to my previous reply* to your OP, then no, I
did not claim that at all. I merely suggested, *as an
alternative*, to make the call to nl2br() last so you don't need
to use the filter parameter for strip_tags().

---
* Message ID: <jdit4j$jj1$1(at)dont-email(dot)me>

<snip>

--
Curtis Dyer
<?$x='<?$x=%c%s%c;printf($x,39,$x,39);?>';printf($x,39,$x,39);?>
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Help with script that retrieve remote files
Next Topic: Give me the names of some CRM php projects
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 23 02:07:51 GMT 2024

Total time taken to generate the page: 0.03754 seconds