I'd like to enable users to leave rich text comments, possibly using markdown. I've installed the libraries used on Reddit, but am concerned about the javascript injection attack which occurred last year, especially since I'm still not clear on the details of how the attack was done. Should I still be concerned about comment security? Is...
I want to create a website where users can test regular expressions (there are many out there already...such as this one: http://www.pagecolumn.com/tool/pregtest.htm). Basically, the user provides a regular expression and some sample text, and the results of the regex evaluation will be spit back. I want to evaluate the regex on the ser...
In PHP, I know that using parameterized queries is the best way to prevent SQL injection. But what about sanitizing user input that will be used for other purposes, such as: Displaying back to a user (potential cross-site scripting vector) Addressing an email or filling in the message body Is htmlentities() the best way to sanitize ...
Hi, I'm trying to figure out the right way to display comments such that newlines and links are displayed. I know that usually, you should display user-inputs only when escaping html with h(). That of course won't display newlines or links, so I found the simple_format and auto_link methods. What I am now doing is: simple_format(santiz...
This regex comes from Atwood and is used to filter out anchor tags with anything other than the href and a title: <a\shref="(\#\d+|(https?|ftp)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]+)"(\stitle="[^"]+")?\s?> I need to allow am additional attribute that specifically matches: target="_blank". So the following url should be allowed: <a href=...
We send out registration urls to clients via email. Some of the email clients are turning the url into url <url> I think it may be happening when users forward the email onto themselves at which point the email client re-formats the original email (maybe) E.g. https://my.app.com/login.aspx?param=var Becomes https://my.app.com/logi...
Is $username = $_POST['username']; $sanitizedUsername = strip_tags(stripcslashes($username)); enough to prevent malacious sql injections and other types of attacks. If not what else should I use? P.S. I want to allow users to choose usernames and passwords that contain alphanumeric, space and symbol characters (except those like quo...
Im building a new web-app, LAMP environment... im wondering if preg_match can be trusted for user's input validation (+ prepared stmt, of course) for all the text-based fields (aka not html fields; phone, name, surname, etc..). For example, for a classic 'email field', if i check the input like: $email_pattern = "/^([a-zA-Z0-9_\-\.]+)@...
I'd like to take user input (sometimes this will be large paragraphs) and generate a LaTeX document. I'm considering a couple of simple regular expressions that replaces all instances of "\" with "\textbackslash " and all instances of "{" or "}" with "\}" or "\{". I doubt this is sufficient. What else do I need to do? Note: In case t...
I am trying to come up with a function that does a good job of sanitizing certain strings so that they are safe to use in the URL (like a post slug) and also safe to use as file names. For example, when someone uploads a file I want to make sure that I remove all dangerous characters from the name. So far I have come up with the followi...
I am just looking into using HTML Purifier to ensure that a user-inputed string (that represents the name of a person) is sanitized. I do not want to allow any html tags, script, markup etc - I just want the alpha, numeric and normal punctuation characters. The sheer number of options available for HTML Purifier is daunting and, as far...
Do you know of any open source library or framework that can perform some basic validation and escaping functionality for a MySQL Db. i envisage something along the lines of: //give it something to perform the quote() quoteInto() methods $lib->setSanitizor($MyZend_DBAdaptor); //tell it structure of the table - colnames/coltypes/ etc ...
Hi, I'm wondering if anybody has used this class and found it to be reliable? http://www.phpclasses.org/package/3746-PHP-Remove-unsafe-tags-and-attributes-from-HTML-code.html Many thanks! ...
Hi, im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable $tenantname = $_POST['tenan']; $tenancyaddress = $_POST['tenancy']; $alternativename = $_POST['alter...
What are some good PHP html (input) sanitizers? Preferably, if something is built in - I'd like to us that. UPDATE: Per the request, via comments, input should not allow HTML (and obviously prevent XSS & SQL Injection, etc). ...
I have a read a number of excellent questions and answers today about dealing with user input. I am now using htmlspecialchars() to display user data in the create/edit forms (but accepting the raw input via prepared PDO statements into my database). The main question I know have is, what do you do when you are allowing the user to subm...
I want my users to be able to write an article in Markdown, have it stored in the MySQL database (with the option to edit it in the future), and displayed for other users. In practice, this is my understanding of how it works: INPUT user input via HTML form using Markdown syntax $queryInput = mysql_real_escape_string($userInput); ins...
Good morning, I would like the code in my controller to look something like this: <?php $class = new sanitizeInput() $string1 = $class -> input($_POST[name]) -> mysql_escape(); $string2 = $class -> input($_POST[age]) -> mysql_escape(); print " String1: $string1 <br /> String2: $string2" ?> It seems with my sanitizeInput c...
I'm writing a PHP script which uses serialized arrays to store data. How can I prevent injection in serialization? It would be very easy to name your account: something";s:6:"access";s:5:"admin"; for a simple example. The user could then add the rest of the needed parameters somehow. Would addslashes work for this? Does the php unseri...
Hi, I have a page that is supposed to display a larger version of an image when hovered over a thumbnail. I have a 'div' with an ID and the JQuery code is as following: $(document).ready(function(){ $('img').hover(function() { var src = $("#im" + this.id).attr("src"); $('#viewlarge').css('backgroundImage','url(' + src +')...