hrm.. it depends on a bunch of different things, including your db charset and the charset in your html.&nbsp; You can convert between them.. but why hack it when you can filter the data when it goes into the database?<br><br>Filter once, its faster and consistent.<br>
<br><br>-- Elijah<br><br><div class="gmail_quote">On Fri, Nov 28, 2008 at 5:15 PM, Michele Waldman <span dir="ltr">&lt;<a href="mailto:mmwaldman@nyc.rr.com">mmwaldman@nyc.rr.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">













<div link="blue" vlink="blue" lang="EN-US">

<div>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">But if I replace ' with &amp;#39;,
there aren't two passes that need to be made.</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">Michele</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<div>

<div style="text-align: center;" align="center"><font size="3" face="Times New Roman"><span style="font-size: 12pt;">

<hr size="2" width="100%" align="center">

</span></font></div>

<p><b><font size="2" face="Tahoma"><span style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">From:</span></font></b><font size="2" face="Tahoma"><span style="font-size: 10pt; font-family: Tahoma;">
<a href="mailto:talk-bounces@lists.nyphp.org" target="_blank">talk-bounces@lists.nyphp.org</a> [mailto:<a href="mailto:talk-bounces@lists.nyphp.org" target="_blank">talk-bounces@lists.nyphp.org</a>] <b><span style="font-weight: bold;">On Behalf Of </span></b>Elijah Insua<br>

<b><span style="font-weight: bold;">Sent:</span></b> Friday, November 28, 2008
5:09 PM<div><div></div><div class="Wj3C7c"><br>
<b><span style="font-weight: bold;">To:</span></b> NYPHP
 Talk<br>
<b><span style="font-weight: bold;">Subject:</span></b> Re: [nycphp-talk] User
Input Data scrubbing</div></div></span></font></p>

</div><div><div></div><div class="Wj3C7c">

<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;">&nbsp;</span></font></p>

<p style="margin-bottom: 12pt;"><font size="3" face="Times New Roman"><span style="font-size: 12pt;">Michelle,<br>
<br>
you should clean the data in 2 different ways.&nbsp; first, get rid of all of
the xss stuff.&nbsp; Then before you insert the cleaned data into the database,
clean out any attempts at SQL injection.<br>
<br>
There are tons of frameworks and libraries out there that handle exactly this.<br>
<br>
<br>
-- Elijah</span></font></p>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;">On Fri, Nov 28, 2008 at 4:59 PM, Michele Waldman &lt;<a href="mailto:mmwaldman@nyc.rr.com" target="_blank">mmwaldman@nyc.rr.com</a>&gt; wrote:</span></font></p>


<div link="blue" vlink="blue">

<div>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">What about inserting a comment</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&lt;script&gt;alert(&#39;hi&#39;);&lt;/script&gt;&#39;; delete from
users;</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">Like I&#39;m going to name my table users?</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">With that one statement about they have performed a sql
injection and html injection in one stroke.</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">Bada bing bada bang bada boom</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">Next time I display their comment out of the database they
are popping up an alert to every user and my users are gone.</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">Michele</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<div>

<div style="text-align: center;" align="center"><font size="3" face="Times New Roman"><span style="font-size: 12pt;">

<hr size="2" width="100%" align="center">

</span></font></div>

<p><b><font size="2" face="Tahoma"><span style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">From:</span></font></b><font size="2" face="Tahoma"><span style="font-size: 10pt; font-family: Tahoma;"> <a href="mailto:talk-bounces@lists.nyphp.org" target="_blank">talk-bounces@lists.nyphp.org</a>
[mailto:<a href="mailto:talk-bounces@lists.nyphp.org" target="_blank">talk-bounces@lists.nyphp.org</a>]
<b><span style="font-weight: bold;">On Behalf Of </span></b>Elijah Insua<br>
<b><span style="font-weight: bold;">Sent:</span></b> Friday, November 28, 2008
3:27 PM<br>
<b><span style="font-weight: bold;">To:</span></b> NYPHP
 Talk</span></font></p>

<div>

<p><font size="2" face="Tahoma"><span style="font-size: 10pt; font-family: Tahoma;"><br>
<b><span style="font-weight: bold;">Subject:</span></b> Re: [nycphp-talk] User
Input Data scrubbing</span></font></p>

</div>

</div>

<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;">&nbsp;</span></font></p>

<p style="margin-bottom: 12pt;"><font size="3" face="Times New Roman"><span style="font-size: 12pt;">Michele,</span></font></p>

<div>

<div>

<p style="margin-bottom: 12pt;"><font size="3" face="Times New Roman"><span style="font-size: 12pt;"><br>
<br>
<br>
SQL injection and Html injection are two separate issues.&nbsp; <br>
<br>
SQL injection is something like a user posting &#39;;DELETE FROM users;&nbsp; where
it deletes all of your user accounts.<br>
<br>
Html/Cross Site Scripting is more along the lines of what you are talking
about.&nbsp; There are tons of libraries out there<br>
that attempt to kill off as many of these as possible.<br>
<br>
As far as your 255 character theory, it is not completely true.&nbsp; There are
other character sets such as UTF-8 which allow<br>
for 65 thousand characters.&nbsp; I would seriously invest some time into
finding a library that you can integrate.<br>
<br>
- Elijah</span></font></p>

</div>

</div>

<div>

<div>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;">On Fri,
Nov 28, 2008 at 3:04 PM, Michele Waldman &lt;<a href="mailto:mmwaldman@nyc.rr.com" target="_blank">mmwaldman@nyc.rr.com</a>&gt;
wrote:</span></font></p>

<div link="blue" vlink="purple">

<div>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">Could ya&#39;ll repost any responses to this.&nbsp; Apparently,
my new email address wasn&#39;t subscribed to the mailing list.</span></font></p>

<p><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy;">&nbsp;</span></font></p>

<div>

<div style="text-align: center;" align="center"><font size="3" face="Times New Roman"><span style="font-size: 12pt;">

<hr size="2" width="100%" align="center">

</span></font></div>

<p><b><font size="2" face="Tahoma"><span style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">From:</span></font></b><font size="2" face="Tahoma"><span style="font-size: 10pt; font-family: Tahoma;"> Michele Waldman [mailto:<a href="mailto:mmwaldman@nyc.rr.com" target="_blank">mmwaldman@nyc.rr.com</a>] <br>

<b><span style="font-weight: bold;">Sent:</span></b> Friday, November 28, 2008
2:06 PM<br>
<b><span style="font-weight: bold;">To:</span></b> &#39;NYPHP
 Talk&#39;<br>
<b><span style="font-weight: bold;">Subject:</span></b> User Input Data scrubbing</span></font></p>

</div>

<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;">&nbsp;</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">I&#39;m
trying to scrub data input to insert into a database which I will later display
on the website.</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">In
order to prevent sql injections and html injections into the code, I figured
I&#39;d just replace non alphanumeric characters with their html special character
codes and remove any control characters all together except carriage return.</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">The
ascii character codes only go up to 255.</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">However,
there are lots more characters in html.</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">If
the user creates a string from which was generated using html using characters
outside of the ascii character codes, what do those get translated to in the
string?&nbsp; A garage character?</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">Is
that a concern?&nbsp; Or is my only concern those 255 characters in the ascii
chart?&nbsp; I&#39;m thinking the 255 characters covers it all.&nbsp; The
characters are a finite set which were long ago predefined, unless that changes
in the future, right?&nbsp; This means scrubbing the data is a short function.</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">I&#39;m
not using mysql_real_escape_string, because I replace all &#39; and &quot; with
their html character code.</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">I&#39;m
not using htmlspecialchars, because it wasn&#39;t thorough enough.&nbsp; I simply
wrote a function that replaces just about every character with it&#39;s html
character code.</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">I&#39;m
doing this in php after the data is passed to me.</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">Now,
in the case of ajax, I just need to come up with
a good approach for checking the data received from php, which may vary
depending on the type of ajax
used.</span></font></p>

<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">&nbsp;</span></font></p>

<p><font size="2" color="#888888" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: rgb(136, 136, 136);">Michele</span></font></p>

</div>

</div>

<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;"><br>
_______________________________________________<br>
New York PHP User Group Community Talk Mailing List<br>
<a href="http://lists.nyphp.org/mailman/listinfo/talk" target="_blank">http://lists.nyphp.org/mailman/listinfo/talk</a><br>
<br>
<a href="http://www.nyphp.org/show_participation.php" target="_blank">http://www.nyphp.org/show_participation.php</a></span></font></p>

</div>

<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;">&nbsp;</span></font></p>

</div>

</div>

</div>

</div>

<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;"><br>
_______________________________________________<br>
New York PHP User Group Community Talk Mailing List<br>
<a href="http://lists.nyphp.org/mailman/listinfo/talk" target="_blank">http://lists.nyphp.org/mailman/listinfo/talk</a><br>
<br>
<a href="http://www.nyphp.org/show_participation.php" target="_blank">http://www.nyphp.org/show_participation.php</a></span></font></p>

</div>

<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;">&nbsp;</span></font></p>

</div></div></div>

</div>


<br>_______________________________________________<br>
New York PHP User Group Community Talk Mailing List<br>
<a href="http://lists.nyphp.org/mailman/listinfo/talk" target="_blank">http://lists.nyphp.org/mailman/listinfo/talk</a><br>
<br>
<a href="http://www.nyphp.org/show_participation.php" target="_blank">http://www.nyphp.org/show_participation.php</a><br></blockquote></div><br>