Security

Security

sprinkles

Chrome Whore
2009 Sep 6 • 2547
10 ₧
So I found a security hole in my register page. Basically, the javascript that checks the inputs only checks for string length. So <textarea> would pass javascripts checks. However, in php I strip html tags. Then I check if the string is empty. This does not account for whitespaces though! So, " <img>" would pass all checks (empty() only checks if the string is null or empty).
That is:
Javascript would see there is enough chars.
PHP would strip the html tags, leaving us with " " (from above).
And empty would check to see if the string is null or empty (does not include whitespaces).

This brings something to question. Would the trim function work after I strip html tags? As the link says,"This function returns a string with whitespace stripped from the beginning and end of str." So if the string only contains whitespaces does it still strip it?
 
 
2010 Dec 12 at 12:49 PST
Rockbomb
Dog fucker (but in a good way now)

2009 Nov 13 • 2045
Just write something that disallows "<", ">", "/", and ":", like I already told you to do earlier.
 
 
2010 Dec 12 at 12:51 PST
sprinkles

Chrome Whore
2009 Sep 6 • 2547
10 ₧
There is a lot more to do than jus' that.
Quote:
remember that trim doesn't work inside a string, just on the borders

New question: How do I strip whitespaces within a string?
php code

<?php
preg_replace
("/\s/g","",$string);
?>



 
 
2010 Dec 12 at 13:02 PST — Ed. 2010 Dec 12 at 22:34 PST
sprinkles

Chrome Whore
2009 Sep 6 • 2547
10 ₧
So here is what I have, its pretty simple. This will disallow HTML tags, PHP tags, whitespaces (spaces, tabs, line breaks, carriage returns, etc.).
php code

<?php
class Protect
{
public function
Strip($string)
{
if (!empty(
$string))
{
$string = html_entity_decode($string);
$string = strip_tags($string);
$string = trim($string);
$string = preg_replace("/\s/","",$string);
}
else
{
return
false;
}

return
$string;
}

}
?>

 
 
2010 Dec 13 at 16:28 PST
SuperJer
Websiteman

2005 Mar 20 • 6155
Don't use Javascript (client side) for security. It won't work.

Don't use strip_tags either, it is easy to get around.

If you don't want to allow HTML tags, use htmlentities(), or just replace < with &lt;.

Also, replacing all whitespace after trim() is redundant.

And why do you want to remove all whitespace? That seems odd.
 
 
2010 Dec 13 at 23:36 PST — Ed. 2010 Dec 13 at 23:36 PST
Down Rodeo
Cap'n Moth of the Firehouse

Find the Hole II Participation Medal
2007 Oct 19 • 5486
57,583 ₧
 
 
2010 Dec 14 at 14:59 PST
Rockbomb
Dog fucker (but in a good way now)

2009 Nov 13 • 2045
I̜̯̖͔͛͂̂ ͊ͬͬ̂͟tͮ̿̽ͧ̂ͅh́̚i̳͔̓n̗̠͇͇̎̀ͅͅḳ̣̒̑̂ͮ ̟̩̭̘ͧ͗̑̊ͨͭ́̕p̥̄̄ͧ̌̋͗ò̡̄̚s̛̬͈̎t̷̘̥̳̯͚̿s̳̙̈́̒ͫ ̟̓̅̐̽̈́ͤͬͅl͈͜õ̟̙̓͛́ͤo̧̟̩̠̲̿́̉ͫ̚̚ķ̖̱͇̲͙̝̰͑ ̠̺͓͓͕͚̥̈ͮ́t̷̮̻̙͗̂̏̄ḧ̫̥̬́̇ͫ͐e̺̺͚ͦ̒̅̽ͭ̔͌ ̤̈́ͥ̑͐b̘̬̍́ͩ̓e̲͇̻̜͡s͊̅̑̐̅ͣ̿͏̖t̍̍ͧ ͕͋l̒̒ͤ́̃ͩ͏͉̟̲̲̬i͌ͦͭͦ̔ͯ̓ḱ̤͖ͪ̒ͭ͋̇e̳͎͘ ͉̝̫̱͓̟ͩ̇ͨ͑ͥt̺̣̲̦̽́̓͡h̜̘̥̀́̍̒ͯ͗̄͟i̮͓̳͊̓͊ͬ̆̄̄s̷̞͖̳͈̘ͥͫͅ.͐
 
 
2010 Dec 14 at 15:09 PST
aaronjer
*****'n Admin

Comrade General 5-Star
2005 Mar 21 • 4600
1,227 ₧
Okay, it looks like you are posting as captcha. I wish I could always post in captcha.
 
 
2010 Dec 14 at 19:31 PST — Ed. 2010 Dec 14 at 19:31 PST
SuperJer
Websiteman

2005 Mar 20 • 6155
I̜̯ ͊ͬtͮ̿h́̚i̳͔n̗̠ḳ̣̒ ̟̩p̥̄ò̡̄s̛̬t̷̘s̳̙ ̟̓l͈͜õ̟̙o̧̟ķ̖̱ ̠̺t̷̮ḧ̫̥e̺̺ ̤̈b̘̬e̲͇s͊̅t̍̍ ͕͋l̒̒i͌ͦḱ̤͖e̳͎ ͉̝t̺̣h̜̘i̮͓s̷̞.͐an̗̠d b̘̬i̳͔g.͐ !
 
 
2010 Dec 17 at 19:14 PST — Ed. 2010 Dec 17 at 19:15 PST
Rockbomb
Dog fucker (but in a good way now)

2009 Nov 13 • 2045
I̓́͆̑͏̛҉̗̩͙̘͔̦̟̤͇͈̖̥̲̀͜ͅ ̤̥̲͎̘͚͉͉͉͐̎̀ͥͨ͌̐̑̈́́̂̂͌̈́̀͠ͅA̸̴̛͓̣̙̮͍̤̖̯̹͉ͪͮ̈́̔ͯ̀ͅG̶̴̞͉̭̗͉̤̗̝̙͕͈̪̪͔̥̔́ͫ͗̽ͤͫ̇̆̏ͣ̎̐ͫ̀͠Ŗ̂ͦ̊̈́ͦ̓̌ͤ̃͊͝҉͉̤͓̞̮͜E̶̷͚̯͓̥̦͉͑̽ͨE̢̛̻͈̬͓̮̹̮͉̞̙̗ͩ̅͒ͨ!͌̃͐ͨͫ̍̃ͤ͒҉̴̡͉̻̦͉͕͓͍͕͎̳͇̪̳͎̣͇̖͕̻͡
 
 
2010 Dec 19 at 16:37 PST
Rockbomb
Dog fucker (but in a good way now)

2009 Nov 13 • 2045
By the way, does anyone know how that works? I'm guessing there is some sort of ascii value that allows you to put a character above or below a character, rather than to the right of it, but idk
 
 
2010 Dec 19 at 16:51 PST
Mate de Vita
Kelli

2008 Oct 4 • 2453
159 ₧
Wow, google chrome doesn't display that properly, so I thought it was just a lot of squares and rectangles.
...and that's the bottom line because Mate de Vita said so.
 
 
2010 Dec 20 at 02:21 PST
Rockbomb
Dog fucker (but in a good way now)

2009 Nov 13 • 2045
Chrome displays it fine on my end.
 
 
2010 Dec 20 at 08:14 PST
Mate de Vita
Kelli

2008 Oct 4 • 2453
159 ₧
Rockbomb said:
Chrome displays it fine on my end.

Must be windows xp then.
...and that's the bottom line because Mate de Vita said so.
 
 
2010 Dec 20 at 09:53 PST
Down Rodeo
Cap'n Moth of the Firehouse

Find the Hole II Participation Medal
2007 Oct 19 • 5486
57,583 ₧
 
 
2010 Dec 20 at 10:43 PST
SuperJer
Websiteman

2005 Mar 20 • 6155
You can put any number of Unicode combining diacritical mark "characters" in a row which has the effect of adding several marks to the preceding character.

Here's some!

http://en.wikipedia.org/wiki/Template:Unicode_chart_Combining_Diacritical_Marks
 
 
2010 Dec 21 at 01:02 PST
Rockbomb
Dog fucker (but in a good way now)

2009 Nov 13 • 2045
So.... how do you "stack" these?
 
 
2010 Dec 21 at 01:09 PST — Ed. 2010 Dec 21 at 01:27 PST
Down Rodeo
Cap'n Moth of the Firehouse

Find the Hole II Participation Medal
2007 Oct 19 • 5486
57,583 ₧
 
 
2010 Dec 21 at 10:17 PST
Rockbomb
Dog fucker (but in a good way now)

2009 Nov 13 • 2045
.ͯͣͩͥͬͬͤͭ o͜o
 
 
2010 Dec 21 at 11:56 PST — Ed. 2010 Dec 21 at 12:16 PST
sprinkles

Chrome Whore
2009 Sep 6 • 2547
10 ₧
U+0305
 ̀
 ̠

 ͏ ͜ ͏
 
 
2010 Dec 21 at 12:33 PST — Ed. 2010 Dec 21 at 12:34 PST
Rockbomb
Dog fucker (but in a good way now)

2009 Nov 13 • 2045
s̅p̅r̅i̅n̅k̅l̅e̅s̅ said:
̅U̅+̅0̅3̅0̅5̅

 
 
2010 Dec 21 at 12:34 PST — Ed. 2010 Dec 21 at 12:35 PST
sprinkles

Chrome Whore
2009 Sep 6 • 2547
10 ₧
I don't get this stuff.
 
 
2010 Dec 21 at 12:35 PST
Rockbomb
Dog fucker (but in a good way now)

2009 Nov 13 • 2045
sprinkles said:
I d͐o͑n͒'͓t g͕e͖t t͗h͘i͙s s͚t͛u͜f͝f͞.

 
 
2010 Dec 21 at 12:39 PST
Page [1]