[nycphp-talk] un-escape db content using php or ADOdb functions
Federico Ulfo
rainelemental at gmail.com
Wed May 2 13:34:32 EDT 2012
All you want to escape for MySql is ' and \.
In javascript you have to consider also double quote " and new line \n,
which is equivalent to use semicolon ;
In HTML you want also to be secure from XSS, so you want to use
htmlspecialchars (as Rob said).
Anyway, I'm not sure I understood your problem, so I strongly recommend to
deactivate GPC, which you can do from php.ini, or by stripslashing the
input variables:
http://php.net/manual/en/security.magicquotes.disabling.php
Instead if your contents is already escaped and your problem is to
un-escape, try to understand how is escaped, then str_replace or
preg_replace will do the job!
And yes, they are workaround :)
On Wed, May 2, 2012 at 1:26 PM, Rob Marscher <rmarscher at beaffinitive.com>wrote:
>
> On May 2, 2012, at 1:08 PM, Eugenio Tacchini wrote:
> > Now, I'm wondering if the DB specific escape functions really give
> > additional values respect to addslashes.
>
> Chris Shiflett's article from 2006 had the best argument I've seen on why
> addslashes is not enough to secure your code.
>
> http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
>
> Keep a copy of your unescaped data. Escape it for inserting into the
> database. Then take the original unescaped data and do what else you need
> with it. If you're ouputting to html, you need to run something like the
> following on each variable you output:
>
> echo htmlspecialchars((string) $var, ENT_QUOTES, 'UTF-8');
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show-participation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120502/32c6f591/attachment.html>
More information about the talk
mailing list