Security
Pages: [1]
|
|
Programming Help
|
sprinkles
2009 Sep 6 • 2480
10 ₧
|
So I found a security hole in my register page. Basically, the javascript that checks the inputs only checks for string length. So <textarea> would pass javascripts checks. However, in php I strip html tags. Then I check if the string is empty. This does not account for whitespaces though! So, " <img>" would pass all checks ( empty() only checks if the string is null or empty).
That is:
Javascript would see there is enough chars.
PHP would strip the html tags, leaving us with " " (from above).
And empty would check to see if the string is null or empty (does not include whitespaces).
This brings something to question. Would the trim function work after I strip html tags? As the link says,"This function returns a string with whitespace stripped from the beginning and end of str." So if the string only contains whitespaces does it still strip it?
...then I got some ap, and shot a big ass lazar at everyone.
|
|
|
|
|
2010 Dec 12 at 12:49
|
|
|
Rockbomb
Dog fucker
2009 Nov 13 • 1943
-190 ₧
|
Just write something that disallows "<", ">", "/", and ":", like I already told you to do earlier.
|
|
|
|
|
2010 Dec 12 at 12:51
|
|
|
sprinkles
2009 Sep 6 • 2480
10 ₧
|
There is a lot more to do than jus' that.
Quote: remember that trim doesn't work inside a string, just on the borders
New question: How do I strip whitespaces within a string?
php code
<?php
preg_replace("/\s/g","",$string);
?>
...then I got some ap, and shot a big ass lazar at everyone.
|
|
|
|
|
(Edited 2010 Dec 12 at 22:34)
2010 Dec 12 at 13:02
|
|
|
sprinkles
2009 Sep 6 • 2480
10 ₧
|
So here is what I have, its pretty simple. This will disallow HTML tags, PHP tags, whitespaces (spaces, tabs, line breaks, carriage returns, etc.).
php code
<?php
class Protect
{
public function Strip($string)
{
if (!empty($string))
{
$string = html_entity_decode($string);
$string = strip_tags($string);
$string = trim($string);
$string = preg_replace("/\s/","",$string);
}
else
{
return false;
}
return $string;
}
}
?>
...then I got some ap, and shot a big ass lazar at everyone.
|
|
|
|
|
2010 Dec 13 at 16:28
|
|
|
superjer
superjer
2005 Mar 20 • 3767
|
Don't use Javascript (client side) for security. It won't work.
Don't use strip_tags either, it is easy to get around.
If you don't want to allow HTML tags, use htmlentities(), or just replace < with <.
Also, replacing all whitespace after trim() is redundant.
And why do you want to remove all whitespace? That seems odd.
|
|
|
|
|
(Edited 2010 Dec 13 at 23:36)
2010 Dec 13 at 23:36
|
|
|
Down Rodeo
Cap'n Moth of the Firehouse
2007 Oct 19 • 5328
57,583 ₧
|
|
|
|
|
|
2010 Dec 14 at 14:59
|
|
|
Rockbomb
Dog fucker
2009 Nov 13 • 1943
-190 ₧
|
I̜̯̖͔͛͂̂ ͊ͬͬ̂͟tͮ̿̽ͧ̂ͅh́̚i̳͔̓n̗̠͇͇̎̀ͅͅḳ̣̒̑̂ͮ ̟̩̭̘ͧ͗̑̊ͨͭ́̕p̥̄̄ͧ̌̋͗ò̡̄̚s̛̬͈̎t̷̘̥̳̯͚̿s̳̙̈́̒ͫ ̟̓̅̐̽̈́ͤͬͅl͈͜õ̟̙̓͛́ͤo̧̟̩̠̲̿́̉ͫ̚̚ķ̖̱͇̲͙̝̰͑ ̠̺͓͓͕͚̥̈ͮ́t̷̮̻̙͗̂̏̄ḧ̫̥̬́̇ͫ͐e̺̺͚ͦ̒̅̽ͭ̔͌ ̤̈́ͥ̑͐b̘̬̍́ͩ̓e̲͇̻̜͡s͊̅̑̐̅ͣ̿͏̖t̍̍ͧ ͕͋l̒̒ͤ́̃ͩ͏͉̟̲̲̬i͌ͦͭͦ̔ͯ̓ḱ̤͖ͪ̒ͭ͋̇e̳͎͘ ͉̝̫̱͓̟ͩ̇ͨ͑ͥt̺̣̲̦̽́̓͡h̜̘̥̀́̍̒ͯ͗̄͟i̮͓̳͊̓͊ͬ̆̄̄s̷̞͖̳͈̘ͥͫͅ.͐
|
|
|
|
|
2010 Dec 14 at 15:09
|
|
|
|
|
superjer
superjer
2005 Mar 20 • 3767
|
I̜̯ ͊ͬtͮ̿h́̚i̳͔n̗̠ḳ̣̒ ̟̩p̥̄ò̡̄s̛̬t̷̘s̳̙ ̟̓l͈͜õ̟̙o̧̟ķ̖̱ ̠̺t̷̮ḧ̫̥e̺̺ ̤̈b̘̬e̲͇s͊̅t̍̍ ͕͋l̒̒i͌ͦḱ̤͖e̳͎ ͉̝t̺̣h̜̘i̮͓s̷̞.͐an̗̠d b̘̬i̳͔g.͐ !
|
|
|
|
|
(Edited 2010 Dec 17 at 19:15)
2010 Dec 17 at 19:14
|
|
|
|
|
|
|
Mate de Vita
Kelli
2008 Oct 4 • 2414
159 ₧
|
Wow, google chrome doesn't display that properly, so I thought it was just a lot of squares and rectangles.
...and that's the bottom line because Mate de Vita said so.
Who controls the past, controls the future. Who controls the present, controls the past.
|
|
|
|
|
2010 Dec 20 at 02:21
|
|
|
Rockbomb
Dog fucker
2009 Nov 13 • 1943
-190 ₧
|
Chrome displays it fine on my end.
|
|
|
|
|
2010 Dec 20 at 08:14
|
|
|
Mate de Vita
Kelli
2008 Oct 4 • 2414
159 ₧
|
Rockbomb said: Chrome displays it fine on my end.
Must be windows xp then.
...and that's the bottom line because Mate de Vita said so.
Who controls the past, controls the future. Who controls the present, controls the past.
|
|
|
|
|
2010 Dec 20 at 09:53
|
|
|
Down Rodeo
Cap'n Moth of the Firehouse
2007 Oct 19 • 5328
57,583 ₧
|
|
|
|
|
|
2010 Dec 20 at 10:43
|
|
|
|
|
|
|
2010 Dec 21 at 01:02
|
|
|
Rockbomb
Dog fucker
2009 Nov 13 • 1943
-190 ₧
|
So.... how do you "stack" these?
|
|
|
|
|
(Edited 2010 Dec 21 at 01:27)
2010 Dec 21 at 01:09
|
|
|
Down Rodeo
Cap'n Moth of the Firehouse
2007 Oct 19 • 5328
57,583 ₧
|
|
|
|
|
|
2010 Dec 21 at 10:17
|
|
|
Rockbomb
Dog fucker
2009 Nov 13 • 1943
-190 ₧
|
.ͯͣͩͥͬͬͤͭ o͜o
|
|
|
|
|
(Edited 2010 Dec 21 at 12:16)
2010 Dec 21 at 11:56
|
|
|
sprinkles
2009 Sep 6 • 2480
10 ₧
|
U+0305
̀
̠
͏ ͜ ͏
...then I got some ap, and shot a big ass lazar at everyone.
|
|
|
|
|
(Edited 2010 Dec 21 at 12:34)
2010 Dec 21 at 12:33
|
|
|
Rockbomb
Dog fucker
2009 Nov 13 • 1943
-190 ₧
|
s̅p̅r̅i̅n̅k̅l̅e̅s̅ said: ̅U̅+̅0̅3̅0̅5̅
|
|
|
|
|
(Edited 2010 Dec 21 at 12:35)
2010 Dec 21 at 12:34
|
|
|
sprinkles
2009 Sep 6 • 2480
10 ₧
|
I don't get this stuff.
...then I got some ap, and shot a big ass lazar at everyone.
|
|
|
|
|
2010 Dec 21 at 12:35
|
|
|
Rockbomb
Dog fucker
2009 Nov 13 • 1943
-190 ₧
|
sprinkles said: I d͐o͑n͒'͓t g͕e͖t t͗h͘i͙s s͚t͛u͜f͝f͞.
|
|
|
|
|
2010 Dec 21 at 12:39
|
|
|
|
Pages: [1]
|
