[Gllug] unicode and cross site scripting vulnerabilities
Sean Burlington
gllug at uncertainty.org.uk
Tue Feb 26 20:24:45 UTC 2002
On Tuesday 26 February 2002 7:22 pm, Mark Preston wrote:
> Sean Burlington <gllug at uncertainty.org.uk>
> wrote:-
> "I know I'm not the first person to deal with this - but I don't seem to be
> able to find any good resources for this issue.
> any advice/pointers much appreciated "
>
> Hi Sean,
> Try
>
> http://www.cert.org/tech_tips/malicious_code_mitigation.html/
thanks :)
EXACTLY what I was looking for
(*now* I remember seeing it some months ago while looking for
soemthing else!)
> for an overview.
>
> As Tet states for
> PHP
> $NAME = addslashes($NAME);
> $EMAIL = addslashes($EMAIL);
> etc.
> will filter out (by adding a previous backslash) any occurences of a single
> quote, a backslash, or a NULL character - a disaster for SQL syntax.
>
except that php often uses magic_quotes - simply using addslashes without
first checking the php.ini settings can mess up your data !
I've been very careful to sanity check my data since I started cgi
programming some time ago - it's just that now I realise I have been
over-cautious and am rejecting acceptable data, unfortunately with
multi-lingual sites it seems trikier to get rid of all the bathwater whilst
keeping the baby safe !
Anyway I shal now sit and read the above tech tip
thanks again
--
Sean
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list