[nycphp-talk] Injection Attack, any ideas?
Ben Sgro (ProjectSkyLine)
ben at projectskyline.com
Tue Nov 13 08:35:45 EST 2007
----- Original Message -----
From: "Rob Marscher" <rmarscher at beaffinitive.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Monday, November 12, 2007 4:26 PM
Subject: Re: [nycphp-talk] Injection Attack, any ideas?
> On Nov 12, 2007, at 1:25 PM, Dan Cech wrote:
>> The fact that your example demonstrates the proper approach (using
>> html
>> escaping to display the user data) rather than 'scrubbing and
>> cleaning'
>> the input makes this advice even more confusing.
>
> If you need to allow user input of html, HTMLPurifier is pretty nice
> to get rid of the possible XSS attack - http://htmlpurifier.org/
>
> But it's expensive to escape it every time someone views the page.
> Therefore, it's recommended to filter it on input but store the
> filtered version in a separate column in the database from the input
> directly from the user (in case the filter causes unexpected data loss
> from malformed html).
>
I do this before I store user form data in the database.
I 1st htmlPurifier, then validate against a type and size,
then store in the db. works great, not too much time wasted
developing yet another class.
- Ben
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
More information about the talk
mailing list