php - What is the best way to sanitize user inputs? -



php - What is the best way to sanitize user inputs? -

i need prevent xss attacks much possible , in centralized way don't have explicitly sanitize each input.

my question improve sanitize inputs @ url/request processing level, encode/sanitize inputs before serving, or @ presentation level (output sanitization)? 1 improve , why?

there 2 areas need aware:

anywhere utilize input part of script in language, notably including sql. in particular case of sql, only recommended way of dealing things utilize of parameterized queries (which result in unescaped content beingness in database, strings: that's ideal). involving magic quoting of characters before substituting them straight sql string inferior (because it's easy wrong). can't done parameterized query service secured against sql-injection should never allow user specify.

anywhere nowadays input output. source of input direct (including via cookie) or indirect (via database or file). in case, default approach should create text user sees text input. that's easy implement correctly since characters have quote < , &, , can wrap in <pre> display.

but that's not enough. example, might want allow users sort of formatting. ever easy go wrong. simplest approach in case parse input , observe formatting instructions; else needs quoted properly. should store formatted version additionally in database column don't need much work when returning user, should store original version user input can search on it. do not mix them up! really! audit application create totally sure right (or, improve yet, else audit).

but beingness careful sql still applies, , there many html tags (e.g., <script>, <object>) , attributes (e.g., onclick) never ever safe.

you looking advice specific packages work? need pick language then. above advice totally language-independent. add-on packages/libraries can create many of steps above easy in practice, still absolutely need careful.

php web-applications web tcl xss

Comments

Post a Comment

Popular posts from this blog

web services - java.lang.NoClassDefFoundError: Could not initialize class net.sf.cglib.proxy.Enhancer -

web services - java.lang.NoClassDefFoundError: Could not initialize class net.sf.cglib.proxy.Enhancer - when trying request rest service @ time of response getting exception.. feb 21, 2013 2:34:49 pm com.sun.jersey.spi.container.containerresponse mapmappablecontainerexception severe: exception contained within mappablecontainerexception not mapped response, re-throwing http container java.lang.noclassdeffounderror: not initialize class net.sf.cglib.proxy.enhancer @ org.hibernate.proxy.pojo.cglib.cgliblazyinitializer.getproxyfactory(cgliblazyinitializer.java:117) @ org.hibernate.proxy.pojo.cglib.cglibproxyfactory.postinstantiate(cglibproxyfactory.java:43) @ org.hibernate.tuple.entity.pojoentitytuplizer.buildproxyfactory(pojoentitytuplizer.java:162) @ org.hibernate.tuple.entity.abstractentitytuplizer.<init>(abstractentitytuplizer.java:135) @ org.hibernate.tuple.entity.pojoentitytuplizer.<init>(pojoentitytuplizer.java:55) @ org.hibernate.tuple.e...
Read more

Accessing MATLAB's unicode strings from C -

Accessing MATLAB's unicode strings from C - how can access underlying unicode info of matlab strings through matlab engine or mex c interfaces? here's example. let's set unicode characters in utf-8 encoded file test.txt, read as fid=fopen('test.txt','r','l','utf-8'); s=fscanf(fid, '%s') in matlab. now if first feature('defaultcharacterset', 'utf-8') , c engevalstring(ep, "s") , output text file utf-8. proves matlab stores unicode internally. if mxarraytostring(enggetvariable(ep, "s")) , unicode2native(s, 'latin-1') give me in matlab: non-latin-1 characters replaced character code 26. need getting access underlying unicode info c string in unicode format (utf-8, utf-16, etc.), , preserving non-latin-1 characters. is possible? my platform os x, matlab r2012b. addendum: documentation explicitly states "[mxarraytostring()] supports multibyte encoded characters...
Read more

javascript - mongodb won't find my schema method in nested container -

javascript - mongodb won't find my schema method in nested container - i trying access method of schema stored within mixed container. here situation : have cases model can many different things, have schema each of these things stored in "casecontent" mixed property. var caseschema = mongoose.schema({ casecontent : {}, object : {type:string, default : "null"}, collision : {type : boolean, default : false} }); the casecontent property filled model of 1 of schemas, 1 exemple : var treeschema = new mongoose.schema({ applecount : {type : number, default : 3} }); treeschema.methods.dostuff = function (data) { console.log('hey, listen'); homecoming true; }; then, want utilize method of schema original container : caseschema.methods.dostuff = function (data) { if (this.casecontent.dostuff !== undefined) { this.casecontent.dostuff(); console.log('it worked'); } else { ...
Read more