User equals untrustworthy. Never trust untrustworthy user's input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then sanitize it whenever it is accessed/used, or do you sanitize the input immediately and then store this "cleaned" version? Maybe there are als...
How do I find duplicate addresses in a database, or better stop people already when filling in the form ? I guess the earlier the better? Is there any good way of abstracting street, postal code etc so that typos and simple attempts to get 2 registrations can be detected? like: Quellenstrasse 66/11 Quellenstr. 66a-11 I'm talking Ge...
I'm looking for the best way to take a simple input: echo -n "Enter a string here: " read -e STRING and clean it up by removing non-alphanumeric characters, lower(case), and replacing spaces with underscores. Does order matter? Is tr the best / only way to go about this? ...
I realize that parameterized SQL queries is the optimal way to sanitize user input when building queries that contain user input, but I'm wondering what is wrong with taking user input and escaping any single quotes and surrounding the whole string with single quotes. Here's the code: sSanitizedInput = "'" & Replace(sInput, "'", "''") ...
I am looking at starting a hosted CMS-like service for customers. As it would, it would require the customer to input text which would be served up to anyone that comes to visit their site. I am planning on using Markdown, possibly in combination with WMD (the live markdown preview that SO uses) for the big blocks of text. Now, should ...
What is everyone's favorite way to sanitize user data? I've been using Javascript, but have recently required something more secure (people can turn it off, after all), so I was looking at Flex, but thought I'd ask the community what they thought. ...
What are the dangerous characters that should be replaced in user input when the users' input will be inserted in a MySQL query? I know about quotes, double quotes, \r and \n. Are there others?(I don't have the option of using a smart connector that accepts parameters so I have to build the query myself and this will be implemented in mu...
I'm wondering if there is a quick and easy function to clean get variables in my url, before I work with them.( or $_POST come to think of it... ) I suppose I could use a regex to replace non-permitted characters, but I'm interested to hear what people use for this sort of thing? ...
We want to allow "normal" href links to other webpages, but we don't want to allow anyone to sneak in client-side scripting. Is searching for "javascript:" within the HREF and onclick/onmouseover/etc. events good enough? Or are there other things to check? ...
I have a Python function in which I am doing some sanitisation of the input parameters: def func(param1, param2, param3): param1 = param1 or '' param2 = param2 or '' param3 = param3 or '' This caters for the arguments being passed as None rather than empty strings. Is there an easier/more concise way to loop round the func...
I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting. Are there any functions I should use? Can you provide me with a good function for some basic protection? Is there something like a parameterized query in asp? Thanks! ...
I want to make sure a file path set via query string does not go outside of the desired subdirectory. Right now, I am checking that: The path does not start with "/", to prevent the user from giving an absolute path. The path does not contain "..", to prevent the user from giving a path that is outside of the desired subdirectory. The...
I want to write an application that consumes RSS. I want to be able to show some items in the item description of the RSS feed as HTML, such as images, links, br, etc. However, I don't want any embedded scripts to run, unruly css elements, etc. I don't want to re-invent the wheel either. Are their any libraries that strip out just th...
A user will input text in a textarea. It is then inserted directly into a mySQL database. I use trim, htmlentities, mysql_real_escape_string on it and I have magic quotes enabled. How should I sanitize it when outputting that data back into a textarea? Thanks for your help. I've never been too sure on the correct way of doing this... ...
Sometimes when a user is copying and pasting data into an input form we get characters like the following: didn’t,“ for beginning quotes and †for end quote, etc ... I use this routine to sanitize most input on web forms (I wrote it a while ago but am also looking for improvements): function fnSanitizePost($data) //escapes,st...
What is the best way to escape strings for sql inserts, updates? I want to allow special characters including ' and ". Is the best way to search and replace each string before I use it in an insert statement? Thanks Duplicate of: http://stackoverflow.com/questions/568995/best-way-to-defend-against-mysql-injection-and-cross-site-scrip...
I have a deployment script (.bat), part of which requires calling other programs and sending a password on the command line. I log the output of the deployment script to a file. The problem is that the password gets logged as well. I need a way of sanitizing this log file. One way to do this is to not echo the line which contains the p...
How can I detect (with regular expressions or heuristics) a web site link in a string of text such as a comment? The purpose is to prevent spam. HTML is stripped so I need to detect invitations to copy-and-paste. It should not be economical for a spammer to post links because most users could not successfully get to the page. I would...
Is there any available C++ (or maybe C) function/class/library with only purpose to sanitize a string that might contain HTML? I find a lot of source code for sanitizing in C# or other languages more used in web application but nothing in C++. I'll try to implement my own function if I don't find any available but I think an heavily t...
Assume I have a form with some disabled checkboxes because the user as logged in shouldn't be able to check them. Where should I add some sanitization security to make sure they didn't hack the checkbox and cause a postback? In the page? Database layer? In the database? I realize it's most likely a pretty broad question. thanks, Mark...