[Gllug] unicode and cross site scripting vulnerabilities

Sean Burlington gllug at uncertainty.org.uk
Tue Feb 26 20:24:45 UTC 2002


On Tuesday 26 February 2002 7:22 pm, Mark Preston wrote:
> Sean Burlington <gllug at uncertainty.org.uk>
> wrote:-
> "I know I'm not the first person to deal with this - but I don't seem to be
> able to find any good resources for this issue.
> any advice/pointers much appreciated "
>
> Hi Sean,
> Try
>
> http://www.cert.org/tech_tips/malicious_code_mitigation.html/

thanks :)

EXACTLY what I was looking for 
(*now* I remember seeing it some months ago while looking for
soemthing else!)


> for an overview.
>
> As Tet states for
> PHP
> $NAME = addslashes($NAME);
> $EMAIL = addslashes($EMAIL);
> etc.
> will filter out (by adding a previous backslash) any occurences of a single
> quote, a backslash, or a NULL character - a disaster for SQL syntax.
>

except that php often uses magic_quotes - simply using addslashes without 
first checking the php.ini settings can mess up your data !

I've been very careful to sanity check my data since I started cgi 
programming some time ago - it's just that now I realise I have been 
over-cautious and am rejecting acceptable data, unfortunately with 
multi-lingual sites it seems trikier to get rid of all the bathwater whilst 
keeping the baby safe !

Anyway I shal now sit and read the above tech tip 

thanks again 

-- 

Sean

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list