sanitization

When is it Best to Sanitize User Input?

User equals untrustworthy. Never trust untrustworthy user's input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then sanitize it whenever it is accessed/used, or do you sanitize the input immediately and then store this "cleaned" version? Maybe there are als...

find duplicate addresses in database, stop users entering them early?

How do I find duplicate addresses in a database, or better stop people already when filling in the form ? I guess the earlier the better? Is there any good way of abstracting street, postal code etc so that typos and simple attempts to get 2 registrations can be detected? like: Quellenstrasse 66/11 Quellenstr. 66a-11 I'm talking Ge...

In a bash script, how do I sanitize user input?

I'm looking for the best way to take a simple input: echo -n "Enter a string here: " read -e STRING and clean it up by removing non-alphanumeric characters, lower(case), and replacing spaces with underscores. Does order matter? Is tr the best / only way to go about this? ...

Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?

I realize that parameterized SQL queries is the optimal way to sanitize user input when building queries that contain user input, but I'm wondering what is wrong with taking user input and escaping any single quotes and surrounding the whole string with single quotes. Here's the code: sSanitizedInput = "'" & Replace(sInput, "'", "''") ...

Should I sanitize HTML markup for a hosted CMS?

I am looking at starting a hosted CMS-like service for customers. As it would, it would require the customer to input text which would be served up to anyone that comes to visit their site. I am planning on using Markdown, possibly in combination with WMD (the live markdown preview that SO uses) for the big blocks of text. Now, should ...

Favorite Web Form Validation Technique

What is everyone's favorite way to sanitize user data? I've been using Javascript, but have recently required something more secure (people can turn it off, after all), so I was looking at Flex, but thought I'd ask the community what they thought. ...

Sanitizing MySQL user parameters.

What are the dangerous characters that should be replaced in user input when the users' input will be inserted in a MySQL query? I know about quotes, double quotes, \r and \n. Are there others?(I don't have the option of using a smart connector that accepts parameters so I have to build the query myself and this will be implemented in mu...

A tidy way to clean your URL variables?

I'm wondering if there is a quick and easy function to clean get variables in my url, before I work with them.( or $_POST come to think of it... ) I suppose I could use a regex to replace non-permitted characters, but I'm interested to hear what people use for this sort of thing? ...

Removing Javascript from HREFs

We want to allow "normal" href links to other webpages, but we don't want to allow anyone to sneak in client-side scripting. Is searching for "javascript:" within the HREF and onclick/onmouseover/etc. events good enough? Or are there other things to check? ...

Loop function parameters for sanity check

I have a Python function in which I am doing some sanitisation of the input parameters: def func(param1, param2, param3): param1 = param1 or '' param2 = param2 or '' param3 = param3 or '' This caters for the arguments being passed as None rather than empty strings. Is there an easier/more concise way to loop round the func...

Good way to sanitize input in classic asp

I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting. Are there any functions I should use? Can you provide me with a good function for some basic protection? Is there something like a parameterized query in asp? Thanks! ...

How do I make sure a file path is within a given subdirectory?

I want to make sure a file path set via query string does not go outside of the desired subdirectory. Right now, I am checking that: The path does not start with "/", to prevent the user from giving an absolute path. The path does not contain "..", to prevent the user from giving a path that is outside of the desired subdirectory. The...

RSS description html sanitizing in .NET

I want to write an application that consumes RSS. I want to be able to show some items in the item description of the RSS feed as HTML, such as images, links, br, etc. However, I don't want any embedded scripts to run, unruly css elements, etc. I don't want to re-invent the wheel either. Are their any libraries that strip out just th...

How do I properly sanitize data received from a text area, when outputting it back into the text area?

A user will input text in a textarea. It is then inserted directly into a mySQL database. I use trim, htmlentities, mysql_real_escape_string on it and I have magic quotes enabled. How should I sanitize it when outputting that data back into a textarea? Thanks for your help. I've never been too sure on the correct way of doing this... ...

Routine for removing ALL junk from incoming strings?

Sometimes when a user is copying and pasting data into an input form we get characters like the following: didn’t,“ for beginning quotes and †for end quote, etc ... I use this routine to sanitize most input on web forms (I wrote it a while ago but am also looking for improvements): function fnSanitizePost($data) //escapes,st...

Best way to escape strings for sql inserts?

What is the best way to escape strings for sql inserts, updates? I want to allow special characters including ' and ". Is the best way to search and replace each string before I use it in an insert statement? Thanks Duplicate of: http://stackoverflow.com/questions/568995/best-way-to-defend-against-mysql-injection-and-cross-site-scrip...

How to remove the password from a log file in windows?

I have a deployment script (.bat), part of which requires calling other programs and sending a password on the command line. I log the output of the deployment script to a file. The problem is that the password gets logged as well. I need a way of sanitizing this log file. One way to do this is to not echo the line which contains the p...

Detecting a (naughty or nice) URL or link in a text string

How can I detect (with regular expressions or heuristics) a web site link in a string of text such as a comment? The purpose is to prevent spam. HTML is stripped so I need to detect invitations to copy-and-paste. It should not be economical for a spammer to post links because most users could not successfully get to the page. I would...

HTML Sanitization in C++

Is there any available C++ (or maybe C) function/class/library with only purpose to sanitize a string that might contain HTML? I find a lot of source code for sanitizing in C# or other languages more used in web application but nothing in C++. I'll try to implement my own function if I don't find any available but I think an heavily t...

What are basic ASP.NET form security practices?

Assume I have a form with some disabled checkboxes because the user as logged in shouldn't be able to check them. Where should I add some sanitization security to make sure they didn't hack the checkbox and cause a postback? In the page? Database layer? In the database? I realize it's most likely a pretty broad question. thanks, Mark...