Can someone recommend an up to date library for data Sanitization in PHP ? I am looking for a library that proposes a set of functions for data sanitization. Email validation/sanitization (remove those %0A, \r...), strip htlm (stripslashes(htmlentities), remove script, SQL injection … any form of exploit related to data submitted by use...
I have a rich text editor that passes HTML to the server. That HTML is then displayed to other users. I want to make sure there is no JavaScript in that HTML. Is there any way to do this? Also, I'm using ASP.NET if that helps. ...
I am creating a website using PHP that makes use of a MySQL database and handles forms and variables from the URL. The variables are being using to dynamically construct SQL query strings. So i need a robust solution to make sure nobody is trying a SQL injection, etc.. A friend of mine has said that really i should only use stored proced...
How do you deal with user input (unicode) that you need to be restricted to a certain set of values, and you want to minimize the risk to applications that you pass the data to further down the line. For example, if I were to store the data in SQL, I would want to remove any chance of a SQL injection. If I were to send it over the wire v...
What's the preferred way to handle rich text user input in rails? Markdown looks useful, but I haven't found an editor that looks simple to setup for it, nor am I sure how to handle sanitizing the html. (the sanitize helper still seems to allow stuff like </div>, which breaks my layout) I'd like to guarantee that the cleaned up code is v...
Are there any thoroughly tested .NET libraries out there to sanatize input from things like script/sql injection? ...
I have the unfortunate task of cleaning up a bunch of old ColdFusion code. Queries are all over the place, I am working on moving them all to common CFCs for easier maintenance. I am running into a problem because cfquery is automatically converting the single quotes to double-single-quotes. How can I override that behavior? More spe...
Wary of Jeff Atwood's "Bathroom Wall of Code" post, I thought it would be useful to have a trustworthy SQL sanitisation function for VBScript, similar to PHP's mysql_real_escape_string() function. So, how can I properly sanitise data input into a SQL query using VBScript? ...
I have this code: $query = "select id from votes where username = '$user' and article_id = $this->id"; I tried this code to sanitize it: $query = sprintf("select id from votes where username = '$user' and article_id = $this->id", mysql_real_escape_string($user), mysql_real_escape_string($password)); but I get this error ...
I've got a routine that converts a file into a different format and saves it. The original datafiles were numbered, but my routine gives the output a filename based on an internal name found in the original. I tried to batch-run it on a whole directory, and it worked fine until I hit one file whose internal name had a slash in it. Oop...
I'm writing a small read-only FTP-like server. Client says "give me that file" and my server sends it. Is there any standard way (a library function?!?) to make sure that the file requested is not "../../../../../etc/passwd" or any other bad thing? It would be great if I could limit all queries to a directory (and its subdirectories). ...
I would like to interface a php page to the linux command line program ping. I realize that there are sanitation issues. Is there a builtin library or function that can take care of everything, or will I have to rely on regex parsers? ...
I was playing around with the erlang shell today and noticed that I could do command injections, something like the following: io:get_chars("Cmd> ", 3). Cmd> Dud List=[3,4,5]. io:get_line("I just took over your shell!"). Is there a way to sanitize the get_chars function's input so this isn't possible? ...
I'd like to create a regex that will match an opening <a> tag containing an href attribute only: <a href="doesntmatter.com"> It should match the above, but not match when other attributes are added: <a href="doesntmatter.com" onmouseover="alert('Do something evil with Javascript')"> Normally that would be pretty easy, but the HTML ...
Hello, I'm using XmlTextWriter to serialize and persist some of my data. Several of the fields I serialize are based on user input (e.g. Username). Today I use the WriteElementString method of XmlTextWriter. My question is: the second parameter of WriteElementString is the text value to be written. How can I sanitize it prior to writi...
I want to escape the inputs to this form so that when its enter in the database characters like .'* won't affect the update. How would I encode the characters to achieve the goal stated above. <% form_for @post, :url => {:action => :createInnovation } do |form| %> <fieldset> <p> Title: <br/><%= form.text_field :title, :html => {...
Considering that everyone is always worried about User Data (And Rightly So), would it be sufficient to simply loop through each external array when you get it, and apply a mysql_real_escape_string(). I'm curious to if this is a bad idea. Something like: function getExternalData($type='GET') { $type = strtoupper($type); $dat...
We have various XML files produced by an application in current distribution. Some of these files have turned out to contain invalid characters, rendering them invalid XML that won't load in most instances unless all validation is turned off, and then, only in XmlDocument instances, not XDocument. As this app is already out there, we ha...
Scenario: I have a blog that I want to make a post to. I have a form set up where I can write out a blog post and submit it to a seperate php page that then stores it in a database (after it confirms it is me posting) where it will be read from and displayed on the home page. How can I easily escape any quotes or anything that will inte...
My JS saves some string data to JSON using "stringify()", but observing the outputted JSON string I see a lot of strange chars (out of keyspace), such as NULLs and other bad chars. Now I don't have a list of these "bad" chars so how can I strip them out of my string data? ...