Menu
▾
▴
Re: [WebERP-developers] Replicating slashes problem - escaping special chars for database insertion or HTML
|
From: icedlava <ice...@gm...> - 2013-11-27 12:40:00
|
> BUT where a $_POST is used as a criteria to some SQL we need the mysqli_escape_string to avoid any shenanigans with clever sods messing with the SQL to return stuff they shouldn't be looking at Yes, and this is the hack work i mentioned some time ago that may need doing to fix - unless we can find a better solution. Should we address it in sessions.inc? Not sure that is correct. Should we have a special prep for display and prep for database call we use for vars - do we rely on devs to ensure they prep any vars in their functions as required? Not sure. We need to escape before posting to db, and encode for html entities before we display vars - but mixing both as we do now is causing issues. I tried to give an example in my last post in reply to Tim. There are lots of ways but which way might need some discussion and balance need for performance, work involved to fix, and security. Cheers! On 27 Nov 2013, at 17:36, Phil Daintree wrote: > Looks like you are onto this one!! Yes this makes sense... I think you have identified the source of the problem... BUT where a $_POST is used as a criteria to some SQL we need the mysqli_escape_string to avoid any shenanigans with clever sods messing with the SQL to return stuff they shouldn't be looking at. > This function is a bit of a sledge hammer approach. Maybe we need to identify the variables where it is going wrong - I don't see it much.... although I have seen it before in descriptions I think - and perhaps we could strip slashes or similar. > > Phil > > Phil Daintree > Logic Works Ltd - +64 (0)275 567890 > http://www.logicworks.co.nz > > On 27/11/13 19:57, iced lava wrote: >> Currently we have sessions.inc processing all session, post and get vars in the same way. >> >> We make a big assumption here with DB_escape_string at line 59 and 66 (for single var and slightly different for arrays): >> >> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue); >> >> This assumes that we know what a function will do with the post/get/sessions vars and that they are going to be inserted/updated to a database. They are passed to the DB_escape_string function which returns (for mysqli): >> >> mysqli_real_escape_string($db, htmlspecialchars($String, ENT_COMPAT,'utf-8', false)); >> >> This is causing exponential slash addition to variables which are not entered to a database but instead posted to a HTML field value. Each time the field is updated the value is saved in the database with extra slashes when escaping a special char like a single quote. >> >> If we do actually need to do this variable processing in sessions.inc then perhaps we could decide what is more common displaying the var or insert/updating to a db. >> >> If we chose for example that displaying the var on the page is more common then we should change sessions inc for example on this line: >> >> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue) >> >> to >> $_POST[$PostVariableName]= htmlspecialchars($PostArrayValue, ENT_QUOTES,'UTF-8'); >> >> and for this case in DB_escape_string from: >> >> return mysqli_real_escape_string($db, htmlspecialchars($String, ENT_COMPAT,'utf-8', false)); >> to >> >> return mysqli_real_escape_string($db, htmlspecialchars_decode($String, ENT_COMPAT)); >> >> >> Then we need to call DB_escape_string on vars before we send to any insert or edit for database. >> >> On the other hand - we need to do the opposite if we assume it is more likely to post to the database. >> >> Perhaps there is another 3rd way to handle it? >> >> Thanks to all in advance for any feedback!! >> >> >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk_______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
