Search Results

Search found 38 results on 2 pages for 'sanitization'.

Page 1/2 | 1 2  | Next Page >

  • Skip sanitization for videos in html5lib

    - by pug
    I am using a wmd-editor in django, much like this one in which I am typing. I would like to allow the users to embed videos in it. For that I am using the Markdown video extension here. The problem is that I am also sanitizing user input using html5lib sanitization and it doesn't allow object tags which are required to embed the videos. One solution could be to check the input for urls of well-known video sites and skip the sanitization in those cases. Is there a better solution?

    Read the article

  • Is there a PHP library that performs MySQL Data Validation and Sanitization According to Column Type

    - by JW
    Do you know of any open source library or framework that can perform some basic validation and escaping functionality for a MySQL Db. i envisage something along the lines of: //give it something to perform the quote() quoteInto() methods $lib->setSanitizor($MyZend_DBAdaptor); //tell it structure of the table - colnames/coltypes/ etc $lib->setTableDescription($tableDescArray); //use it to validate and escape according to coltype foreach ($prospectiveData as $colName => $rawValue) if ( $lib->isValid($colName, $rawValue)) { //add it to the set clause $setValuesArray[$lib->escapeIdentifier($colName);] = $lib->getEscapedValue($colName,$rawValue); } else { throw new Exception($colName->getErrorMessage()); } etc... I have looked into - Zend_Db_Table (which knows about a table's description), and - Zend_Db_Adaptor (which knows how to escape/sanitize values depending on TYPE) but they do not automatically do any clever stuff during updates/inserts Anyone know of a good PHP library to preform this kind of validation that I could use rather than writing my own? i envisage alot of this kind of stuff: ... elseif (eregi('^INT|^INTEGER',$dataset_element_arr[col_type])) { $datatype='int'; if (eregi('unsigned',$dataset_element_arr[col_type])) { $int_max_val=4294967296; $int_min_val=0; } else { $int_max_val=2147483647; $int_min_val=-2147483648; } } (p.s I know eregi is deprecated - its just an example of laborious code)

    Read the article

  • PHP preg_replace() pattern, string sanitization.

    - by Otar
    I have a regex email pattern and would like to strip all but pattern-matched characters from the string, in a short I want to sanitize string... I'm not a regex guru, so what I'm missing in regex? <?php $pattern = "/^([\w\!\#$\%\&\'\*\+\-\/\=\?\^\`{\|\}\~]+\.)*[\w\!\#$\%\&\'\*\+\-\/\=\?\^\`{\|\}\~]+@((((([a-z0-9]{1}[a-z0-9\-]{0,62}[a-z0-9]{1})|[a-z])\.)+[a-z]{2,6})|(\d{1,3}\.){3}\d{1,3}(\:\d{1,5})?)$/i"; $email = 'contact<>@domain.com'; // wrong email $sanitized_email = preg_replace($pattern, NULL, $email); echo $sanitized_email; // Should be [email protected] ?> Pattern taken from: http://fightingforalostcause.net/misc/2006/compare-email-regex.php (the very first one...)

    Read the article

  • Is preg_match safe enaught in input satinization?

    - by DaNieL
    Im building a new web-app, LAMP environment... im wondering if preg_match can be trusted for user's input validation (+ prepared stmt, of course) for all the text-based fields (aka not html fields; phone, name, surname, etc..). For example, for a classic 'email field', if i check the input like: $email_pattern = "/^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)" . "|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}" . "|[0-9]{1,3})(\]?)$/"; $email = $_POST['email']; if(preg_match($email_pattern, $email)){ //go on, prepare stmt, execute, etc... }else{ //email not valid! do nothing except warn the user } can i sleep easy against the sql/xxs injection? I write the regexp to be the more restrictive as they can.

    Read the article

  • Explanation of this SQL sanitization code

    - by Derek
    I got this from for a login form tutorial: function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } Could some one explain exactly what this does? I know that the 'clean' var is called up afterwards to sanitize the fields; I.e. $email = clean($_POST['email']);

    Read the article

  • Are these two functions overkill for sanitization?

    - by jpjp
    function sanitizeString($var) { $var = stripslashes($var); $var = htmlentities($var); $var = strip_tags($var); return $var; } function sanitizeMySQL($var) { $var = mysql_real_escape_string($var); $var = sanitizeString($var); return $var; } I got these two functions from a book and the author says that by using these two, I can be extra safe against XSS(the first function) and sql injections(2nd func). Are all those necessary? Also for sanitizing, I use prepared statements to prevent sql injections. I would use it like this: $variable = sanitizeString($_POST['user_input']); $variable = sanitizeMySQL($_POST['user_input']);

    Read the article

  • Redaction in AutoVue

    - by [email protected]
    As the trend to digitize all paper assets continues, so does the push to digitize all the processes around these assets. One such process is redaction - removing sensitive or classified information from documents. While for some this may conjure up thoughts of old CIA documents filled with nothing but blacked out pages, there are actually many uses for redaction today beyond military and government. Many companies have a need to remove names, phone numbers, social security numbers, credit card numbers, etc. from documents that are being scanned in and/or released to the public or less privileged users - insurance companies, banks and legal firms are a few examples. The process of digital redaction actually isn't that far from the old paper method: Step 1. Find a folder with a big red stamp on it labeled "TOP SECRET" Step 2. Make a copy of that document, since some folks still need to access the original contents Step 3. Black out the text or pages you want to hide Step 4. Release or distribute this new 'redacted' copy So where does a solution like AutoVue come in? Well, we've really been doing all of these things for years! 1. With AutoVue's VueLink integration and iSDK, we can integrate to virtually any content management system and view documents of almost any format with a single click. Finding the document and opening it in AutoVue: CHECK! 2. With AutoVue's markup capabilities, adding filled boxes (or other shapes) around certain text is a no-brainer. You can even leverage AutoVue's powerful APIs to automate the addition of markups over certain text or pre-defined regions using our APIs. Black out the text you want to hide: CHECK! 3. With AutoVue's conversion capabilities, you can 'burn-in' the comments into a new file, either as a TIFF, JPEG or PDF document. Burning-in the redactions avoids slip-ups like the recent (well-publicized) TSA one. Through our tight integrations, the newly created copies can be directly checked into the content management system with no manual intervention. Make a copy of that document: CHECK! 4. Again, leveraging AutoVue's integrations, we can now define rules in the system based on a user's privileges. An 'authorized' user wishing to view the document from the repository will get exactly that - no redactions. An 'unauthorized' user, when requesting to view that same document, can get redirected to open the redacted copy of the same document. Release or distribute the new 'redacted' copy: CHECK! See this movie (WMV format, 2mins, 20secs, no audio) for a quick illustration of AutoVue's redaction capabilities. It shows how redactions can be added based on text searches, manual input or pre-defined templates/regions. Let us know what you think in the comments. And remember - this is all in our flagship AutoVue product - no additional software required!

    Read the article

  • [PHP] Sanitizing strings to make them URL and filename safe?

    - by Xeoncross
    I am trying to come up with a function that does a good job of sanitizing certain strings so that they are safe to use in the URL (like a post slug) and also safe to use as file names. For example, when someone uploads a file I want to make sure that I remove all dangerous characters from the name. So far I have come up with the following function which I hope solves this problem and also allows foreign UTF-8 data also. /** * Convert a string to the file/URL safe "slug" form * * @param string $string the string to clean * @param bool $is_filename TRUE will allow additional filename characters * @return string */ function sanitize($string = '', $is_filename = FALSE) { // Replace all weird characters with dashes preg_replace('/[^\w\-'. ($is_filename ? '*~_\.' : ''). ']+/u', '-', $string); // Only allow one dash separator at a time (and make string lowercase) return mb_strtolower(preg_replace('/--+/u', '-', $string), 'UTF-8'); } Does anyone have any tricky sample data I can run against this - or know of a better way to safeguard our apps from bad names?

    Read the article

  • Preventing LDAP injection

    - by Matias
    I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code. I'd like to know which sanitizing techniques are known, not only for C/unix development but in more general terms, i.e., web development etc. I thought that escaping equals and semicolons would be enough, but not sure. Here is a little piece of code so I can make clearer the question: String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery); Obviously I do need to sanitize $userName, as stated in this OWASP ARTICLE

    Read the article

  • How do I sanitize LaTeX input?

    - by Conley Owens
    I'd like to take user input (sometimes this will be large paragraphs) and generate a LaTeX document. I'm considering a couple of simple regular expressions that replaces all instances of "\" with "\textbackslash " and all instances of "{" or "}" with "\}" or "\{". I doubt this is sufficient. What else do I need to do? Note: In case there is a special library made for this, I'm using python.

    Read the article

  • Sanitizing input for display in view when using simple_format

    - by Eric
    Hi, I'm trying to figure out the right way to display comments such that newlines and links are displayed. I know that usually, you should display user-inputs only when escaping html with h(). That of course won't display newlines or links, so I found the simple_format and auto_link methods. What I am now doing is: simple_format(santize(auto_link(comment.text))) Is this the right way to do this, and is it still safe from XSS attacks? Thanks! Eric

    Read the article

  • Cleaning all inline events from HTML tags

    - by Itay Moav
    For HTML input, I want to neutralize all HTML elements that have inline js (onclick="..", onmouseout=".." etc). I am thinking, isn't it enough to encode the following chars? =,(,) So onclick="location.href='ggg.com'" will become onclick%3D"location.href%3D'ggg.com'" What am I missing here? Edit: I do need to accept active HTML (I can't escape it all or entities is it).

    Read the article

  • Correct sequence of actions when using Markdown & MySQL?

    - by Andrew Heath
    I want my users to be able to write an article in Markdown, have it stored in the MySQL database (with the option to edit it in the future), and displayed for other users. In practice, this is my understanding of how it works: INPUT user input via HTML form using Markdown syntax $queryInput = mysql_real_escape_string($userInput); insert sanitized string into database OUTPUT query field from database $output = Markdown($queryResult); display $output Is that it? Does PHP Markdown preclude the need for htmlspecialchars or Pure HTML ? Thanks!

    Read the article

  • PHP / MYSQL: Sanitizing user input - is this a bad idea?

    - by Greg
    I have one "go" script that fetches any other script requested and this is what I wrote to sanitize user input: foreach ($_REQUEST as $key => $value){ if (get_magic_quotes_gpc()) $_REQUEST[$key] = mysql_real_escape_string(stripslashes($value)); else $_REQUEST[$key] = mysql_real_escape_string($value); } I haven't seen anyone else use this approach. Is there any reason not to? EDIT - amended for to work for arrays: function mysql_escape($thing) { if (is_array($thing)) { $escaped = array(); foreach ($thing as $key => $value) { $escaped[$key] = mysql_escape($value); } return $escaped; } // else if (get_magic_quotes_gpc()) $thing = stripslashes($thing); return mysql_real_escape_string($thing); } foreach ($_REQUEST as $key => $value){ $_REQUEST[$key] = mysql_escape($value); }

    Read the article

  • PHP HTML sanitizer

    - by Mark Blades
    Hi, I'm wondering if anybody has used this class and found it to be reliable? http://www.phpclasses.org/package/3746-PHP-Remove-unsafe-tags-and-attributes-from-HTML-code.html Many thanks!

    Read the article

  • Serializing array in PHP, preventing injection

    - by Cyclone
    I'm writing a PHP script which uses serialized arrays to store data. How can I prevent injection in serialization? It would be very easy to name your account: something";s:6:"access";s:5:"admin"; for a simple example. The user could then add the rest of the needed parameters somehow. Would addslashes work for this? Does the php unserialize pick up on that as being an escaped character? If so, is it possible to apply addslashes to an entire array without iterating through? Thanks for the help!

    Read the article

  • PHP - HTML Purifier - hello w<o>rld/world tutorial striptags

    - by JW
    I am just looking into using HTML Purifier to ensure that a user-inputed string (that represents the name of a person) is sanitized. I do not want to allow any html tags, script, markup etc - I just want the alpha, numeric and normal punctuation characters. The sheer number of options available for HTML Purifier is daunting and, as far as i can see, the docs do not seem to have a beggining/middle or end see: http://htmlpurifier.org/docs Is there a simple hello world tutorial online that shows how to sanitize a string removing all the bad stuff out of it. I am also considering just using strip tags: http://php.net/manual/en/function.strip-tags.php or PHP's in built data sanitizing http://us.php.net/manual/en/book.filter.php

    Read the article

  • display HTML content from database with formatting in it

    - by Gaurav Sharma
    Hi all, I have used wmd-editor in my cakephp v1.3 application. The config which I have written is as follows: wmd_options = { output: "HTML", lineLength: 40, buttons: "bold italic | link blockquote code image | ol ul heading hr", autostart: true }; When I submit the form the HTML in the wmd enabled textarea is saved in the database with htmlentities() done to the text then I am displaying it with html_entity_decode() method. but the text is displayed as it is including the HTML coding like this <p><strong>hello dear friends</strong></p>\n\n<pre><code>I want to make sure that everything that you type is visible clearly.\nadasfafas\n</code></pre>\n\n<blockquote>\n <p>sadgsagasdgxcbxcbxc</p>\n</blockquote>\n\n<p><em>sadfgsgasdsgasgs</em></p>\n\n<p><b><a href="http://kumu.in">this is the link</a></b></p> Please help me solve this problem Thanks

    Read the article

  • Displaying untrusted HTML using PHP

    - by esryl
    I have a read a number of excellent questions and answers today about dealing with user input. I am now using htmlspecialchars() to display user data in the create/edit forms (but accepting the raw input via prepared PDO statements into my database). The main question I know have is, what do you do when you are allowing the user to submit HTML which will then be displayed to the public. Obviously htmlspecialchars() is no longer suitable as it just encodes the tags and renders the content useless for purpose. My application is currently accepting HTML from an admin for product descriptions. This would allow a malicious admin to inject potentially unsafe data into public facing pages. How do people cope with this?

    Read the article

  • Ruby on Rails solution for scrubbing data of WYSIWYG editor user input

    - by Jimmy
    Hey everyone, I am working on a simple blogging type ruby on rails application and I have everything working through tinyMCE for a nice WYSIWYG editor so the user can add some simple things like images/youtube videos and lists. What I am looking for is a nice solution for blacklisting certain elements to be filtered out of the data when it is displayed. So is there a solution for this available as a gem or available to download anywhere? Thanks!

    Read the article

  • Sanitizing MySQL user parameters.

    - by Tom
    What are the dangerous characters that should be replaced in user input when the users' input will be inserted in a MySQL query? I know about quotes, double quotes, \r and \n. Are there others?(I don't have the option of using a smart connector that accepts parameters so I have to build the query myself and this will be implemented in multiple programming languages, including some obscure ones so solutions such as mysql_real_escape_string in PHP are not valid)

    Read the article

  • php Form to Email sanitizing

    - by Jacob
    Hi, im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable $tenantname = $_POST['tenan']; $tenancyaddress = $_POST['tenancy']; $alternativename = $_POST['alternativ //and a few more //then striptags on each variable $to = "[email protected]"; $subject = "hardcoded subject here"; $message = "$tenantname etc rest of posted data"; $from = "[email protected]"; $headers = "From: $from"; mail($to,$subject,$message,$headers);

    Read the article

  • Regular Expression Sanitize (PHP)

    - by atif089
    Hello, I would like to sanitize a string in to a URL so this is what I basically need. Everything must be removed except alphanumeric characters and spaces and dashed. Spaces should be converter into dashes. Eg. This, is the URL! must return this-is-the-url Thanks

    Read the article

1 2  | Next Page >