Home > Archive > PHP Pear > March 2005 > Re: [PEAR] Using DB: do I need to quoteSmart() AND strip_tags() all user input?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: [PEAR] Using DB: do I need to quoteSmart() AND strip_tags() all user input?
|
|
| l Burnerheimerton 2005-03-14, 8:56 pm |
| What I'm thinking of doing with strip_tags() makes
sense, right? Ive read about a vulnerability for
VIEWERS of what is posted rather than the database
itself. This is where the user posts some bad script
in the field and when it is displayed, it causes
something harmful to the person's browser who is
viewing it at that time.
strip_tags() can delete all html tags before it goes
to database since it strips HTML and PHP tags.
Ideas? Thoughts? Best practices?
--- Justin Patrin <papercrane@gmail.com> wrote:
> On Mon, 14 Mar 2005 13:07:05 -0800 (PST), l
> Burnerheimerton
> <lburnerheimerton@yahoo.com> wrote:
> could
> might
>
> Best practice is to uoe quoteSmart on any DB values
> when putting them in SQL.
>
> For HTML, you can decide on your own, but if you
> don't want to allow
> HTML, but want people to be able to post HTML code
> (for viewing) use
> htmlentities() when *outputting* the content.
>
> --
> Justin Patrin
>
> --
> PEAR General Mailing List (http://pear.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
| |
| Justin Patrin 2005-03-14, 8:56 pm |
| On Mon, 14 Mar 2005 16:07:26 -0800 (PST), l Burnerheimerton
<lburnerheimerton@yahoo.com> wrote:
> What I'm thinking of doing with strip_tags() makes
> sense, right? Ive read about a vulnerability for
> VIEWERS of what is posted rather than the database
> itself. This is where the user posts some bad script
> in the field and when it is displayed, it causes
> something harmful to the person's browser who is
> viewing it at that time.
>
> strip_tags() can delete all html tags before it goes
> to database since it strips HTML and PHP tags.
>
> Ideas? Thoughts? Best practices?
I already told you, the best practice is to run htmlentities on any
output which was from the user. This way, all HTML / script / etc.
will be shown exactly as it was entered instead of interpreted by the
browser as extra markup or javascript. htmlentities makes all output
perfectly safe for viewing in a browser.
If you want to explicitly deny users the posting of any HTML or PHP
code, by all means use strip_tags, but it's much more useful when you
want people to be able to use a subset of HTML in their postings and
want to pull out the bad bits.
Here's an example. If I enter <grin> in your form, strip_tags will
remove it even though I meant it as an emote, not HTML. In addition,
using strip_tags makes it *impossible* to post HTML or PHP code. What
if a someone wants to post HTML code for viewing?
[color=darkred]
> --- Justin Patrin <papercrane@gmail.com> wrote:
--
Justin Patrin
|
|
|
|
|