Search Results

Search found 128 results on 6 pages for 'sanitize'.

Page 1/6 | 1 2 3 4 5 6  | Next Page >

  • Best way to sanitize content with PHP?

    - by Jens Törnell
    Which is the best way to "sanitize" content? An example... Example - Before sanitize: Morbi mollis ante vitae massa suscipit a tempus est pellentesque. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Nulla mattis iaculis consectetur. Morbi mollis ante vitae est pellentesque. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Nulla mattis iaculis consectetur. Example - After sanitize: <p>Morbi mollis ante vitae massa suscipit a tempus est pellentesque. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Nulla mattis iaculis consectetur.</p> <p>Morbi mollis ante vitae est pellentesque. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Nulla mattis iaculis consectetur.</p> What it should do It should add p-tags instead of line break like. It should remove empty space like tripple spaces It should remove double line breaks. It should remove tabs. It should remove line breaks and spaces before the content if any. It should remove line breaks and spaces after the content if any. Right know I use the str_replace function and it should be a better solution for this? I want the function to look like this: function sanitize($content) { // Do the magic! return $content; }

    Read the article

  • How to sanitize sql fragment in Rails

    - by dimus
    I have to sanitize a part of sql query. I can do something like this: class << ActiveRecord::Base public :sanitize_sql end str = ActiveRecord::Base.sanitize_sql(["AND column1 = ?", "two's"], '') But it is not safe because I expose protected method. What is a better way to do it?

    Read the article

  • How good is the Rails sanitize() method?

    - by Horace Loeb
    Can I use ActionView::Helpers::SanitizeHelper#sanitize on user-entered text that I plan on showing to other users? E.g., will it properly handle all cases described on this site? Also, the documentation mentions: Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ’<’, ’’, ’&’ characters and confuse browsers. What's the best way to handle this? Pass the sanitized text through Hpricot before displaying?

    Read the article

  • Sanitize GET query with Apache

    - by Freelancer
    Hello everyone, I see there's a lot of talk here about how to go about sanitizing data. Could it be as simple as adding this rewrite rule to .htaccess? RewriteRule ^([\w\-]+)$ index.php?page=$1 To my understanding this will allow only letters, numbers, _ and - in $1, am I right? If you add to this usage of prepared statements for SQL queries, it should be pretty proof, is that right? Somehow feels like too easy to be true, am I missing something, any ways to firm it up?

    Read the article

  • NameError: uninitialized constant Nokogiri::HTML::DocumentFragment

    - by Mike Sutton
    About three hours ago I started seeing the above error in my production server. It comes from a call to the sanitize gem: vendor/rails/activerecord/lib/../../activesupport/lib/active_support/dependencies.rb:276:in 'load_missing_constant' vendor/rails/activerecord/lib/../../activesupport/lib/active_support/dependencies.rb:468:in `const_missing' vendor/gems/sanitize-1.2.0/lib/sanitize.rb:91:in `clean!' vendor/gems/sanitize-1.2.0/lib/sanitize.rb:84:in `clean' vendor/gems/sanitize-1.2.0/lib/sanitize.rb:49:in `clean' app/helpers/application_helper.rb:28:in `display_none' app/views/main/_blogs.html.erb:13:in `_run_erb_47app47views47main47_blogs46html46erb' The error only occurs on the production server (linux), not my development machine (windows) I tried rolling back my latest deployment but it didn't fix it. I've updated to sanitize 1.2.0 (which was the latest version brought down by gem update sanitize, though I note my host is running 1.3.6. Can anyone provide any clues to help fix this?

    Read the article

  • Ruby on Rails: How to sanitize a string for SQL when not using find?

    - by williamjones
    I'm trying to sanitize a string that involves user input without having to resort to manually crafting my own possibly buggy regex if possible, however, if that is the only way I would also appreciate if anyone can point me in the right direction to a regex that is unlikely to be missing anything. There are a number of methods in Rails that can allow you to enter in native SQL commands, how do people escape user input for those? The question I'm asking is a broad one, but in my particular case, I'm working with a column in my Postgres database that Rails does not natively understand as far as I know, the tsvector, which holds plain text search information. Rails is able to write and read from it as if it's a string, however, unlike a string, it doesn't seem to be automatically escaping it when I do things like vector= inside the model. For example, when I do model.name='::', where name is a string, it works fine. When I do model.vector='::' it errors out: ActiveRecord::StatementInvalid: PGError: ERROR: syntax error in tsvector: "::" "vectors" = E'::' WHERE "id" = 1 This seems to be a problem caused by lack of escaping of the semicolons, and I can manually set the vector='\:\:' fine. I also had the bright idea, maybe I can just call something like: ActiveRecord::Base.connection.execute "UPDATE medias SET vectors = ? WHERE id = 1", "::" However, this syntax doesn't work, because the raw SQL commands don't have access to find's method of escaping and inputting strings by using the ? mark. This strikes me as the same problem as calling connection.execute with any type of user input, as it all boils down to sanitizing the strings, but I can't seem to find any way to manually call Rails' SQL string sanitization methods. Can anyone provide any advice?

    Read the article

  • Ruby on Rails: How to sanitize a string for SQL when not using find and other built-in methods?

    - by williamjones
    I'm trying to sanitize a string that involves user input without having to resort to manually crafting my own possibly buggy regex if possible. There are a number of methods in Rails that can allow you to enter in native SQL commands, how do people escape user input for those? The question I'm asking is a broad one, but in my particular case, I'm working with a column in my Postgres database that Rails does not natively understand as far as I know, the tsvector, which holds plain text search information. Rails is able to write and read from it as if it's a string, however, unlike a string, it doesn't seem to be automatically escaping it when I do things like vector= inside the model. For example, when I do model.name='::', where name is a string, it works fine. When I do model.vector='::' it errors out: ActiveRecord::StatementInvalid: PGError: ERROR: syntax error in tsvector: "::" "vectors" = E'::' WHERE "id" = 1 This seems to be a problem caused by lack of escaping of the semicolons, and I can manually set the vector='\:\:' fine. I also had the bright idea, maybe I can just call something like: ActiveRecord::Base.connection.execute "UPDATE medias SET vectors = ? WHERE id = 1", "::" However, this syntax doesn't work, because the raw SQL commands don't have access to find's method of escaping and inputting strings by using the ? mark. This strikes me as the same problem as calling connection.execute with any type of user input, as it all boils down to sanitizing the strings, but I can't seem to find any way to manually call Rails' SQL string sanitization methods. Can anyone provide any advice?

    Read the article

  • How do I sanitize a string in PHP that contains "; Echo"? (I have a solid reason)

    - by user337878
    I turned this case into a simple PHP page that submits to itself. My issue is that I am submitting track meet results and one of the girl's names is Echo...a lovely name. The problem text I'm submitting is: Pole vault - Rachel Simons, Tow, 8-6; Echo Wilson, Cit, 8-0; Molly Randall, Tow, 7-0; So you see a semicolon followed by white space followed by Echo... After submitting, it says: POST to /results/test.php not supported The end goal is to save it to a database along with some other info and have a search page to find it and simply print out the full result on the screen. I stripped out all my database stuff to get it down to this one error. I mean, I can intentionally mis-spell her name, but there's gotta be a way around this, right??? Here's the test PHP file. <html> <head> <title>title</title> </head> <body> <?php echo "<h3>Edit meet info below</h3>"; echo "<form action=\"test.php\" method=\"post\" id=\"submitForm\">"; echo "Full Results:<br/><textarea NAME=\"results\" id=\"results\" rows=\"20\" cols=\"80\" MAXLENGTH=\"8191\"></textarea><br/><br/>"; echo "<input type=\"submit\" name=\"submitMeet\" value=\"Submit\">"; echo "</form>"; ?> </body> </html>

    Read the article

  • How to sanitize grape params

    - by Boti
    I want to mass update attributes of an entity. How can I sanitize properly the params which is coming from grape? This is my console log about the parameters: params.except(:route_info, :token, :id) => {"display_number"=>"7"} [18] pry(#<Grape::Endpoint>)> params.permit(:display_number) ArgumentError: wrong number of arguments (2 for 0..1) from /Users/boti/.rvm/gems/ruby-2.0.0-p353@thelocker/gems/hashie-2.0.5/lib/hashie/mash.rb:207:in `default' [19] pry(#<Grape::Endpoint>)> params.sanitize => nil

    Read the article

  • PHP sandbox/sanitize code passed to create_function

    - by kpowerinfinity
    Hello, I am using create_function to run some user-code at server end. I am looking for any of these two: Is there a way to sanitize the code passed to it to prevent something harmful from executing? Alternately, is there a way to specify this code to be run in a sandboxed environment so that the user can't play around with anything else. Thanks!

    Read the article

  • jQuery catch paste input

    - by Christoffer Winterkvist
    I'm looking for a way to sanitize input that I paste into the browser, is this possible to do with jQuery? I've managed to come up with this so far: $(this).live(pasteEventName, function(e) { // this is where i would like to sanitize my input return false; } Unfortunately my development has come to a screeching hold because of this "minor" issue. I would really make me a happy camper if someone could point me to the right direction. Thanks in advance.

    Read the article

  • Regular Expression Sanitize (PHP)

    - by atif089
    Hello, I would like to sanitize a string in to a URL so this is what I basically need. Everything must be removed except alphanumeric characters and spaces and dashed. Spaces should be converter into dashes. Eg. This, is the URL! must return this-is-the-url Thanks

    Read the article

  • Should I sanitize EVERY form variable passed along?

    - by Camran
    I have a form with many fields... The action is set to a php page which queries mysql... Should I sanitize with mysql_real_escape_string every single variable? Or can I ignore sanitizing drop-lists and radios for instance? Also, besides mysql_real_escape_string, what else should I do to prevent attacks? Thanks

    Read the article

  • Sanitize Content: removing markup from Amazon's content

    - by StackOverflowNewbie
    I'm using Amazon Web Service to get product descriptions of various items. The problem is that Amazon's content contains mark up that is sometimes destructive to the layout of my web page (e.g. unclosed DIVs, etc.). I want to sanitize the content I get from Amazon. My solution would be to do the following (my initial list so far): Remove unnecessary tags such as div, span, etc. while keeping tags like p, ul, ol, etc. Remove all attributes from all the tags (e.g. seems like there are style attributes in some of the tags) Remove excess white space (e.g. multiple spaces, carriage returns, new lines, tabs, etc.) Etc. Before I go off trying to build my solution, I'm wondering if anyone has a better idea (or an already existing solution). Thanks.

    Read the article

  • Sanitize a string from ascii art

    - by Toto
    I need to sanitize article titles when (creative) users try to "attract attention" with some bad "ascii art". Exemples: Buy my product !!!!!!!!!!!!!!!!!!!!!!!! Buy my product !? !? !? !? !? !? Buy my product !!!!!!!!!.......!!!!!!!! Buy my product <----------- Some acceptable solution would be to reduce the repetition of non-alphanum to 2. So I would get: Buy my product !! Buy my product !? !? Buy my product !!..!! Buy my product <-- This solution did not work that well: preg_replace('/(\W{2,})(?=\1+)/', '', $title) Any idea how to do it in PHP with regex? Other better solution is also welcomed (I cannot strip all the non-alphanum characters as they can make sense).

    Read the article

  • Sanitize a string with non-alphanum repetition

    - by Toto
    I need to sanitize article titles when (creative) users try to "attract attention" with some non-alphanum repetition. Exemples: Buy my product !!!!!!!!!!!!!!!!!!!!!!!! Buy my product !? !? !? !? !? !? Buy my product !!!!!!!!!.......!!!!!!!! Buy my product <----------- Some acceptable solution would be to reduce the repetition of non-alphanum to 2. So I would get: Buy my product !! Buy my product !? !? Buy my product !!..!! Buy my product <-- This solution did not work that well: preg_replace('/(\W{2,})(?=\1+)/', '', $title) Any idea how to do it in PHP with regex? Other better solution is also welcomed (I cannot strip all the non-alphanum characters as they can make sense). Edit: the objective is only to avoid most common issues. The other creative cases will be sanitized manually or sanitized with an other regex.

    Read the article

  • Best Practices for Sanitizing SQL inputs Using JavaScript?

    - by Greg Bulmash
    So, with HTML5 giving us local SQL databases on the client side, if you want to write a select or insert, you no longer have the ability to sanitize third party input by saying $buddski = mysql_real_escape_string($tuddski) because the PHP parser and MySQL bridge are far away. It's a whole new world of SQLite where you compose your queries and parse your results with JavaScript. But while you may not have your whole site's database go down, the user who gets his/her database corrupted or wiped due to a malicious injection attack is going to be rather upset. So, what's the best way, in pure JavaScript, to escape/sanitize your inputs so they will not wreak havoc with your user's built-in database? Scriptlets? specifications? Anyone?

    Read the article

  • safely encode and pass a string from a html link to PHP program

    - by bert
    What series of steps would be reqired to safely encode and pass a string from a html href using javascript to construct the link to a php program. in javascript set up URL // encodes a URI component. path = "mypgm.php?from=" + encodeURIComponent(myvar) ; in php: // get passed variables $myvar = isset($_GET['myvar']) ? ($_GET['myvar']) : ''; // decode - (make the string readable) $myvar = (rawurldecode($myvar)); // converts characters to HTML entities (reduce risk of attack) $myvar = htmlentities($myvar); // maybe custom sanitize program as well? // see [http://stackoverflow.com/questions/2668854/php-sanitizing-strings-to-make-them-url-and-filename-safe][1] $myvar = sanitize($myvar);

    Read the article

  • Sanitizing user input that will later be e-mailed - what should I be worried about?

    - by Kevin Burke
    I'm interning for an NGO in India (Seva Mandir, http://sevamandir.org) and trying to fix their broken "subscribe to newsletter" box. Because the staff isn't very sophisticated and our web host isn't great, I decided to send the relevant data to the publications person via mail() instead of storing it in a MySQL database. I know that it's best to treat user input as malicious, and I've searched the SO forums for posts relevant to escaping user data for sending in a mail message. I know the data should be escaped; what should I be worried about and what's the best way to sanitize the input before emailing it? Form flow: 1. User enters email on homepage and clicks Submit 2. User enters name, address, more information on second page (bad usability, I know, but my boss asked me to) and clicks "Submit" 3. Collect the data via $_POST and email it to the publications editor (and possibly send a confirmation to the subscriber). I am going to sanitize the email in step 2 and the other data in step 3. I appreciate your help, Kevin

    Read the article

  • How do I sanitize LaTeX input?

    - by Conley Owens
    I'd like to take user input (sometimes this will be large paragraphs) and generate a LaTeX document. I'm considering a couple of simple regular expressions that replaces all instances of "\" with "\textbackslash " and all instances of "{" or "}" with "\}" or "\{". I doubt this is sufficient. What else do I need to do? Note: In case there is a special library made for this, I'm using python.

    Read the article

  • Spring - MVC - Sanitize URL before redisplaying to the user

    - by Raghav
    In my application , a HTTP GET request URL to the application with script tag is getting redisplayed as it is although it fails the authorization. Example: http://www.example.com/welcome<script>alert("hi")</script> The issue is sanitizing external input entered directly into address bar by modifying existing GET URL. Spring redisplays the submitted URL as it is. Though the script does not get executed in the browser(FF), is there anyway to strip the URL of these values before displaying it back to the user Reference: Spring MVC application filtering HTML in URL - Is this a security issue?

    Read the article

  • Sanitize json input to a java server

    - by morgancodes
    I'm using json to pass data between the browser and a java server. I'm using Json-lib to convert between java objects and json. I'd like to strip out susupicious looking stuff (i.e "doSomethingNasty().) from the user input while converting from json to java. I can imagine several points at which I could do this: I could examine the raw json string and strip out funny-looking stuff I could look for a way to intercept every json value on its way into the java object, and look for funny stuff there. I could traverse my new java objects immediately after reconstitution from json, look for any fields that are Strings, and stripp stuff out there. What's the best approach? Are there any technologies built for this this task that I tack tack on to what I have already?

    Read the article

1 2 3 4 5 6  | Next Page >