I'm building a local vm for doing web dev rather than using our on site development. I need a database locally, but I don't want to just pull down a production db and use that as it has information that, while not protected by HIPAA or anything, should not be available in the case of laptop theft. Are there any apps or recommended practi...
I have one "go" script that fetches any other script requested and this is what I wrote to sanitize user input: foreach ($_REQUEST as $key => $value){ if (get_magic_quotes_gpc()) $_REQUEST[$key] = mysql_real_escape_string(stripslashes($value)); else $_REQUEST[$key] = mysql_real_escape_string($value); } I haven't seen anyone el...
I have a record edit link that GETs a 7 character alphanumeric text string which is always ZZZZ111 in structure and is then used in a MySQL query to pull all related data for that record id. Is mysql_real_escape_string() all I need in terms of sanitizing this $_GET['id'] ? Or are there more steps to take to protect my database? ...
It is inspired by "How to make a valid Windows filename from an arbitrary string?", I've written a function that will take arbitrary string and make it a valid filename. My function should technically be an answer to this question, but I want to make sure I've not done anything stupid, or overlooked anything, before posting it as an ans...
Greetings, I'm hoping to make my tiny program secure so that potential malicious users cannot view sensitive files on the server. $path = "/home/gsmcms/public_html/central/app/webroot/{$_GET['file']}"; if(file_exists($path)) { echo file_get_contents($path); } else { header('HTTP/1.1 404 Not Found'); } Off the top of my head...
I know there is a lot of discussion for years on best methods of filtering data with PHP but I would like to go the whitelist approach in my current project. I only want a user to be able to use the following HTML <b>bold</b> <i>italics</i> <u>underline</u> <s>strikethrough</s> <big>Big size</big > <small>Small size</small> Hyperlin...
Hi. I'm analyzing my code (C#, desktop application) with CAT.NET Code Analysis and getting "Sanitize the file path prior to passing it to file system routines" message when dealing with file names. What I don't understand is that to ensure the file name is valid, I use: void SomeMethod(String filename) { filename = System.IO.Path.Ge...
I want to write a function that allows users to match data based on a regexp, but I am concerned about sanitation of the user strings. I know with SQL queries you can use bind variables to avoid SQL injection attacks, but I am not sure if there's such a mechanism for regexps. I see that there's Regexp.escape, but I want to allow valid re...
My C# site allows users to submit HTML to be displayed on the site. I would like to limit the tags and attributes allowed for the HTML, but am unable to figure out how to do this in .net. I've tried using Html Agility Pack, but I don't see how to modify the HTML, I can see how to go through the HTML and find certain data, but actually g...
I'm looking for a php function that will sanitize a string and make it ready to use for a filename. Anyone know of a handy one? ( I could write one, but I'm worried that I'll overlook a character! ) Edit: for saving files on a Windows NTFS filesystem. ...
Hey everyone, I'm using various ASP.NET controls out of the box such as the CreateUserWizard control, Login control etc... For custom controls, I have sanitized my inputs by making sure they conform to expected values. However, is this required for the controls such as the CreateUserWizard control, or is that handled internally? Do I ...
Hi, I'm trying to sanitize any data that's inputted by making sure the data is valid for a particular field (e.g. a name can't contain special characters/numbers etc..) However, I'm not sure what to do when it comes to a password field. Would I even need to bother with any sanitization as the password is simply hashed? If the user was ...
The URL would be Saved to a MySQL database Used to display a picture on the user's profile would strip_tags() and mysql_real_escape_string() be enough? ...
I'm looking for a simple PHP library that helps filter XSS vulnerabilities in PHP Markdown output. I.E. PHP Markdown will parse things such as: [XSS Vulnerability](javascript:alert('xss')) I've been doing some reading around and the best I've found on the subject here was this question. Although HTML Purifier looks like the best (nea...
Do not code like this. Please, read the hints by the accepted answer. I tried to remove the junk but I coundn't. Code import sys a = [] i=0 for line in sys.stdin: try: n = float(line) a.append(n) i+=1 except ValueError: print 'Number please!'; ...
I read from the cookbook (sec. 4.2) CakePHP already protects you against SQL Injection if you use CakePHP's ORM methods (such as find() and save()) and proper array notation (ie. array('field' => $value)) instead of raw SQL. For sanitization against XSS its generally better to save raw HTML in database without modification and saniti...
Here's the vimeo url code. <object width="40" height="300"><param name="allowfullscreen" value="true" /><param name="allowscriptaccess" value="always" /><param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=9082619&amp;server=vimeo.com&amp;show_title=1&amp;show_byline=1&amp;show_portrait=0&amp;color=&am...
I have an app using Spring, JPA (Hibernate) and the Java validation framework (Hibernate Validator). I would like to be able to annotate fields in our domain model that are allowed to contain HTML and have them automatically sanitized at commit time. Anyone know a clever way to do this? I have tried using the validation framework but th...
I have a form field that includes a mixture of HTML and text. I want users to be able to use basic HTML and punctuation. Currently I am using mysql_real_escape_string and preg_replace to sanitise the data and insert it into the database. My understanding is that preg_replace is the best way to strip any characters that are not in a whit...
We're building a user generated content site where we want to allow users to be able to embed things like videos, slideshares, etc... Can anyone recommend a generally accepted list of tags / attributes to allow in rails sanitize that will give us pretty good security, while still allowing a good amount of the embedable content / html for...