Search Results

Search found 128 results on 6 pages for 'sanitize'.

Page 4/6 | < Previous Page | 1 2 3 4 5 6  | Next Page >

  • [PHP] Sanitizing strings to make them URL and filename safe?

    - by Xeoncross
    I am trying to come up with a function that does a good job of sanitizing certain strings so that they are safe to use in the URL (like a post slug) and also safe to use as file names. For example, when someone uploads a file I want to make sure that I remove all dangerous characters from the name. So far I have come up with the following function which I hope solves this problem and also allows foreign UTF-8 data also. /** * Convert a string to the file/URL safe "slug" form * * @param string $string the string to clean * @param bool $is_filename TRUE will allow additional filename characters * @return string */ function sanitize($string = '', $is_filename = FALSE) { // Replace all weird characters with dashes preg_replace('/[^\w\-'. ($is_filename ? '*~_\.' : ''). ']+/u', '-', $string); // Only allow one dash separator at a time (and make string lowercase) return mb_strtolower(preg_replace('/--+/u', '-', $string), 'UTF-8'); } Does anyone have any tricky sample data I can run against this - or know of a better way to safeguard our apps from bad names?

    Read the article

  • Preventing LDAP injection

    - by Matias
    I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code. I'd like to know which sanitizing techniques are known, not only for C/unix development but in more general terms, i.e., web development etc. I thought that escaping equals and semicolons would be enough, but not sure. Here is a little piece of code so I can make clearer the question: String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery); Obviously I do need to sanitize $userName, as stated in this OWASP ARTICLE

    Read the article

  • Prototypejs .evalJSON not returning object

    - by Pselus
    I have this JSON (which validates according to JSONLint): [ { "BugCount":"2", "BugTitle":"C:\\INETPUB\\WWWROOT\\CLUBREADY2\\TRAINERS\\../Connections/LTC.asp", "ErrLine":"141", "BugID":"702" }, { "BugCount":"1", "BugTitle":"/admin/ajax_logagreementsig.asp", "ErrLine":"0", "BugID":"1322" }, ] However, when I run data = json.evalJSON on it I get some problems. If I run .evalJSON(true) (to sanitize) an error happens within prototype saying "json" is undefined. The same happens if I do .evalJSON(). If I do .evalJSON with no parenthesis, then data is just an empty object and no error happens. Is there something wrong with my JSON?

    Read the article

  • Sanitizing incoming XML via WCF

    - by Clark
    I am consuming a Java webservice from .net using WCF. I am getting an error on deserialization of a response from the Java service The byte 0x00 is not valid at this location. Line 1, position 725. I know from some research that this is an incorrectly encoded null, but I am unlikely to get the provider to change it, so I would like to sanitize the null out before WCF deserializes the return message. Any Ideas? I am using c#, but answers in any CLR language will do.

    Read the article

  • Using MS Anti XSS library for sanitizing HTML

    - by user102533
    In the intent of preventing XSS attacks, I am updating a page in which we have a textbox that accepts HTML, stores it in a database and retrieves and renders it at a later time. My understanding is that I can sanitize the HTML using AntiXSS.GetSafeHtmlFragment() method. As long as I do this before storing the HTML in the database, am I covered? Do I need to do anything when the HTML is outputted on a web page? Also, it appears that the white list is kind of a black box. Is there a way to update this based on our requirements?

    Read the article

  • [C# asp.net mvc or javascript] user-friendly xml sensitization library that html encoding invalid pa

    - by Fox
    I would like to allow my users to submit a subset of xhtml that will be displayed to other users (likely I'll build a schema for it) but I want the server to handle validation more gracefully then hard rejecting invalid submissions.... Instead I'd like the server to Html Encode invalid/harmful parts of the submissions.... (sanitize javascript and css etc.) Is there any library (maybe asp.net mvc 2 has such functionality?) or do I have to develop my own? or maybe there is a javascript library that html encodes invalid parts and I can just have the server only accept that subset?

    Read the article

  • jQuery Autocomplete losing text on AutoPostBack

    - by Moose
    I have a jQuery Autocomplete field on an ASP.Net Webform and everything has been working great until now. I also have a DropDownList that I have a need to fire onSelectedIndexChanged with AutoPostBack. When I changed my code to do the AutoPostBack, the text field that has the jQuery AutoComplete on it comes back blank. However, if I look at the source of the page, the text is in the text field. If I now post the form, the page will send back a blank field. My Google-Fu is weak on this one, as I could not come up with any workaround for it. Has anyone had any issues like this with the Autocomplete field getting blanked out on an AutoPostBack, and how did you get around it? I can post code if it's really necessary, but I'd need to sanitize a lot of it before I could due to company policy.

    Read the article

  • PHP / MYSQL: Sanitizing user input - is this a bad idea?

    - by Greg
    I have one "go" script that fetches any other script requested and this is what I wrote to sanitize user input: foreach ($_REQUEST as $key => $value){ if (get_magic_quotes_gpc()) $_REQUEST[$key] = mysql_real_escape_string(stripslashes($value)); else $_REQUEST[$key] = mysql_real_escape_string($value); } I haven't seen anyone else use this approach. Is there any reason not to? EDIT - amended for to work for arrays: function mysql_escape($thing) { if (is_array($thing)) { $escaped = array(); foreach ($thing as $key => $value) { $escaped[$key] = mysql_escape($value); } return $escaped; } // else if (get_magic_quotes_gpc()) $thing = stripslashes($thing); return mysql_real_escape_string($thing); } foreach ($_REQUEST as $key => $value){ $_REQUEST[$key] = mysql_escape($value); }

    Read the article

  • PHP - HTML Purifier - hello w<o>rld/world tutorial striptags

    - by JW
    I am just looking into using HTML Purifier to ensure that a user-inputed string (that represents the name of a person) is sanitized. I do not want to allow any html tags, script, markup etc - I just want the alpha, numeric and normal punctuation characters. The sheer number of options available for HTML Purifier is daunting and, as far as i can see, the docs do not seem to have a beggining/middle or end see: http://htmlpurifier.org/docs Is there a simple hello world tutorial online that shows how to sanitize a string removing all the bad stuff out of it. I am also considering just using strip tags: http://php.net/manual/en/function.strip-tags.php or PHP's in built data sanitizing http://us.php.net/manual/en/book.filter.php

    Read the article

  • Filter user input (paragraph) for links + smileys

    - by Alec Smart
    Hello, I am looking at some sort of existing filter which can sanitize the user input to avoid XSS. Probably I can use htmlspecialchars for that. But at the same time I want to be able to parse all links (should match a.com, www.a.com and http://www.a.com and if it is http://www.aaaaaaaaaaaaaaaaaaaaaaaaaa.com then it should display it as aaa..a.com), e-mails and smileys. I am wondering what is the best way to go about it. I am currently using a php function with some regex, but many times the regex simply fails (because of link recognition is incorrect etc.). I want something very similar to the parser used during Google Chat (even a.com works). Thank you for your time.

    Read the article

  • Disabling javascript in specific block/div (containing suspect HTML) ?

    - by T4NK3R
    Is it, in any way, possible to disable the browsers execution of script inside a block/section/element ? My scenario is, that I'm letting my (future) users create "rich content" (using CK-editor). Content that wil later be shown to other users - with all the dangers that imply: xss, redirection, identity theft, spam and what not... I've, more or less, given up on trying to "sanitize" the incomming XHTML, after seeing how many known "vectors of attack" there are: http://ha.ckers.org/xss.html What I'm really looking for is something like: < div id="userContent"< scriptOFF suspect HTML < /scriptOFF< /div

    Read the article

  • PHP preg_replace() pattern, string sanitization.

    - by Otar
    I have a regex email pattern and would like to strip all but pattern-matched characters from the string, in a short I want to sanitize string... I'm not a regex guru, so what I'm missing in regex? <?php $pattern = "/^([\w\!\#$\%\&\'\*\+\-\/\=\?\^\`{\|\}\~]+\.)*[\w\!\#$\%\&\'\*\+\-\/\=\?\^\`{\|\}\~]+@((((([a-z0-9]{1}[a-z0-9\-]{0,62}[a-z0-9]{1})|[a-z])\.)+[a-z]{2,6})|(\d{1,3}\.){3}\d{1,3}(\:\d{1,5})?)$/i"; $email = 'contact<>@domain.com'; // wrong email $sanitized_email = preg_replace($pattern, NULL, $email); echo $sanitized_email; // Should be [email protected] ?> Pattern taken from: http://fightingforalostcause.net/misc/2006/compare-email-regex.php (the very first one...)

    Read the article

  • Sanitizing CSS in Rails

    - by Erik
    Hello! I want to allow the users of a web app that I'm building to write their own CSS in order to customize their profile page. However I am aware of this opening up for many security risks, i e background: url('javascript:alert("Got your cookies! " + document.cookies'). Hence I am looking for a solution to sanitize the CSS while still allowing as much CSS functionality as possible for my users. So my questions if anyone anyone knows of a gem or a plugin to handles this? I've googled my brains out already so any tips would be really appreciated!

    Read the article

  • PHP - Filter some words

    - by bob
    I want to filter some reserved word on my title form. $adtitle = sanitize($_POST['title']); $ignore = array('sale','buy','rent'); if(in_array($adtitle, $ignore)) { $_SESSION['ignore_error'] = '<strong>'.$adtitle.'</strong> cannot be use as your title'; header('Location:/submit/'); exit; How to make something like this. If user type Car for sale the sale will detected as reserved keyword. Now my current code only detect single keyword only.

    Read the article

  • Filter some words

    - by bob
    I want to filter some reserved word on my title form. $adtitle = sanitize($_POST['title']); $ignore = array('sale','buy','rent'); if(in_array($adtitle, $ignore)) { $_SESSION['ignore_error'] = '<strong>'.$adtitle.'</strong> cannot be use as your title'; header('Location:/submit/'); exit; How to make something like this. If user type Car for sale the sale will detected as reserved keyword. Now my current code only detect single keyword only.

    Read the article

  • PHP with SQL Injection

    - by Scott S
    For our first assignment in a System Security class, we have to hack into the professors "cheaply organized" sql database. I know the only user is "admin" and the select statement generated in the php is: select user_id from user where user_username = 'admin' AND user_password = md5('noob') I am having a number of problems attempting to bypass the password part of this statement as the professor has some javascript embedded in the page to sanitize the username and password of any non-alphanumeric values. This can be bypassed by turning off javascript :P but any values sent still get cleaned by the operating system (some build of Debian 32-bit). I've seen the code for the login request and it does not escape any characters. How do I bypass the operating systems escape sequences?

    Read the article

  • how can I split up this string

    - by lacrosse1991
    I am currently trying to sanitize some log files so they are in an easier format to read, and have been trying to use the gnu cut command, which works fairly well, although I cannot really think of a good way to remove the [INFO] part of the string logs/logs/server_1283258036.log:2010-08-31 23:06:51 [INFO] <NateMar> where?! logs/logs/server_1281904775.log:2010-08-15 22:59:53 [INFO] <BoonTheMoon> §b<BoonTheMoon>§ohhhhhh I would ultimately want to get the strings down to something that resembles the following 2010-08-31 23:06:51 <NateMar> where?! 2010-08-15 22:59:53 <BoonTheMoon> ohhhhhh how should I go about doing this? Have thought about using awk, although Im having a difficult time getting a grip on how that would work, so not sure how to set up something to do that, any help would be greatly appreciated, thanks!

    Read the article

  • Python: replace urls with title names from a string

    - by Hellnar
    Hello I would like to remove urls from a string replace them with their titles of the original contents. For example: mystring = "Ah I like this site: http://www.stackoverflow.com. Also I must say I like http://www.digg.com" sanitize(mystring) # it becomes "Ah I like this site: Stack Overflow. Also I must say I like Digg - The Latest News Headlines, Videos and Images" For replacing url to the title, I have written this snipplet: #get_title: string -> string def get_title(url): """Returns the title of the input URL""" output = BeautifulSoup.BeautifulSoup(urllib.urlopen(url)) return output.title.string

    Read the article

  • Is there any injection vunerability in the body of an email?

    - by Brett
    Hey guys..... AFAIK there is only a vulnerability within the HEADERS of an email when using user data correct? I am using the below function to sanitize my data, however I have some textarea fields on the page & hence these may contain linebreaks.. so was wondering if that user data is only going to be put in the body of the email, can it not bother with being sanitized - apart from stripping html of course? Here is the function: function is_injected($str) { $injections = array('(\n+)', '(\r+)', '(\t+)', '(%0A+)', '(%0D+)', '(%08+)', '(%09+)' ); $inject = join('|', $injections); $inject = "/$inject/i"; if (preg_match($inject,$str)) { return true; } else { return false; } } As a side note, surprised there wasn't currently a tag for mail-injection / email-injection. Thanks!

    Read the article

  • What is the Sql Server equivalent for Oracle's DBMS_ASSERT?

    - by dotNetYum
    DBMS_ASSERT is one of the keys to prevent SQL injection attacks in Oracle. I tried a cursory search...is there any SQL Server 2005/2008 equivalent for this functionality? I am looking for a specific implementation that has a counterpart of all the respective Oracle package members of DBMS_ASSERT. NOOP SIMPLE_SQL_NAME QUALIFIED_SQL_NAME SCHEMA_NAME I know the best-practices of preventing injection...bind variables...being one of them. But,in this question I am specifically looking for a good way to sanitize input...in scenarios where bind-variables were not used. Do you have any specific implemetations? Is there a library that actually is a SQL Server Port of the Oracle package?

    Read the article

  • Input Sanitation Best Practices

    - by Adam Driscoll
    Our team has recently been working on a logic and data layer for our database. We were not approved to utilize Entity or Linq to SQL for the data layer. It was primarily built by hand. A lot of the SQL is auto generated. An obvious down fall of this is the need to sanitize inputs prior to retrieval and insertion. What are the best methods for doing this? Searching for terms like insert, delete, etc seems like a poor way to accomplish this. Is there a better alternative?

    Read the article

  • Username correct, password incorrect?

    - by jonnnnnnnnnie
    In a login system, how can you tell if the user has entered the password incorrectly? Do you perform two SQL queries, one to find the username, and then one to find the username and matching (salted+hashed etc) password? I'm asking this because If the user entered the password incorrectly, I want to update the failed_login_attempts column I have. If you perform two queries wouldn't that increase overhead? If you did a query like this, how would you tell if the password entered was correct or not, or whether the username doesn't exist: SELECT * FROM author WHERE username = '$username' AND password = '$password' LIMIT 1 ( ^ NB: I'm keeping it simple, will use hash and salt, and will sanitize input in real one.) Something like this: $user = perform_Query() // get username and password? if ($user['username'] == $username && $user['password'] == $password) { return $user; } elseif($user['username'] == $username && $user['password'] !== $password) { // here the password doesn't match // update failed_login_attemps += 1 }

    Read the article

  • CSS and JQuery: spaces inside image name break code of url()

    - by Shyam
    Hi, I have a page that is supposed to display a larger version of an image when hovered over a thumbnail. I have a 'div' with an ID and the JQuery code is as following: $(document).ready(function(){ $('img').hover(function() { var src = $("#im" + this.id).attr("src"); $('#viewlarge').css('backgroundImage','url(' + src +')'); return false; }); }); The images I use, are generated by a Ruby script that "generate" an image with a similar, yet different id. However, sometimes, photo's are uploaded that have "spaces" inside. My developer tools tell me that the background-image is not set correctly, yet the image path is correct and the browser don't have problems finding the image. My question is, can I somehow sanitize the url 'src', so spaces won't be a problem? I am aware of doing this server side, yet I would like to know how to do this with JQuery/JS too. Thanks!

    Read the article

  • printf("... %c ...",'\0') and family - what will happen?

    - by SF.
    How will various functions that take printf format string behave upon encountering the %c format given value of \0/NULL? How should they behave? Is it safe? Is it defined? Is it compiler-specific? e.g. sprintf() - will it crop the result string at the NULL? What length will it return? Will printf() output the whole format string or just up to the new NULL? Will va_args + vsprintf/vprintf be affected somehow? If so, how? Do I risk memory leaks or other problems if I e.g. shoot this NULL at a point in std::string.c_str()? What are the best ways to avoid this caveat (sanitize input?)

    Read the article

  • BAM design pointers

    - by Kavitha Srinivasan
    In working recently with a large Oracle customer on SOA and BAM, I discovered that some BAM best practices are not quite well known as I had always assumed ! There is a doc bug out to formally incorporate those learnings but here are a few notes..  EMS-DO parity When using EMS (Enterprise Message Source) as a BAM feed, the best practice is to use one EMS to write to one Data Object. There is a possibility of collisions and duplicates when multiple EMS write to the same row of a DO at the same time. This customer had 17 EMS writing to one DO at the same time. Every sensor in their BPEL process writes to one topic but the Topic was read by 1 EMS corresponding to one sensor. They then used XSL within BAM to transform the payload into the BAM DO format. And hence for a given BPEL instance, 17 sensors fired, populated 1 JMS topic, was consumed by 17 EMS which in turn wrote to 1 DataObject.(You can image what would happen for later versions of the application that needs to send more information to BAM !).  We modified their design to use one Master XSL based on sensorname for all sensors relating to a DO- say Data Object 'Orders' and were able to thus reduce the 17 EMS to 1 with a master XSL. For those of you wondering about how squeaky clean this design is, you are right ! This is indeed not squeaky clean and that brings us to yet another 'inferred' best practice. (I try very hard not to state the obvious in my blogs with the hope that everytime I blog, it is very useful but this one is an exception.) Transformations and Calculations It is optimal to do transformations within an engine like BPEL. Not only does this provide modelling ease with a nice GUI XSL mapper in JDeveloper, the XSL engine in BPEL is quite efficient at runtime as well. And so, doing XSL transformations in BAM is not quite prudent.  The same is true for any non-trivial calculations as well. It is best to do all transformations,calcuations and sanitize the data in a BPEL or like layer and then send this to BAM (via JMS, WS etc.) This then delegates simply the function of report rendering and mechanics of real-time reporting to the Oracle BAM reporting tool which it is most suited to do. All nulls are not created equal Here is yet another possibly known fact but reiterated here. For an EMS with an Upsert operation: a) If Empty tags or tags with no value are sent like <Tag1/> or <Tag1></Tag1>, the DO will be overwritten with --null-- b) If Empty tags are suppressed ie not generated at all, the corresponding DO field will NOT be overwritten. The field will have whatever value existed previously.  For an EMS with an Insert operation, both tags with an empty value and no tags result in –null-- being written to the DO. Hope this helps .. Happy 4th!

    Read the article

< Previous Page | 1 2 3 4 5 6  | Next Page >