input-sanitization

问题 I am using https://node-postgres.com/ to write a fairly simple application, but I do have a complex constraint that has caused me issues. Namely, I need my SQL statement to select a schema based on user input SELECT * FROM {some user value}.tableName but when I attempt to parametrize this normally, I get a syntax error {"errorType":"error","errorMessage":"syntax error at or near \"$1\"" Which seems to indicate that the value wasnt replaced as expected. Is there a way to sanitize the incoming

问题 I am using https://node-postgres.com/ to write a fairly simple application, but I do have a complex constraint that has caused me issues. Namely, I need my SQL statement to select a schema based on user input SELECT * FROM {some user value}.tableName but when I attempt to parametrize this normally, I get a syntax error {"errorType":"error","errorMessage":"syntax error at or near \"$1\"" Which seems to indicate that the value wasnt replaced as expected. Is there a way to sanitize the incoming

问题 I have a website that saves data to a MySQL database Should I escape the HTML upon inserting it into MySQL or upon displaying it on my website? Ideally, I'd like to input raw HTML into my database and just sanitize each time I pull from it. Is there any danger in doing it this way? Example html: <h1>test</h1> 回答1: typically users won't save HTML, but I don't want them to be restricted. Of course that HTML won't be executed. It will just be displayed Should I escape the HTML upon inserting it

问题 I am building a new web-app, LAMP environment... I am wondering if preg_match can be trusted for user's input validation (+ prepared stmt, of course) for all the text-based fields (aka not HTML fields; phone, name, surname, etc..). For example, for a classic 'email field', if I check the input like: $email_pattern = "/^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)" . "|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}" . "|[0-9]{1,3})(\]?)$/"; $email = $_POST['email']; if(preg_match($email

问题 In making database queries in Zend Framework 2, how should I be sanitizing user submitted values? For example, $id in the following SQL $this->tableGateway->adapter->query( "UPDATE comments SET spam_votes = spam_votes + 1 WHERE comment_id = '$id'", \Zend\Db\Adapter\Adapter::QUERY_MODE_EXECUTE ); 回答1: You can pass parameters when you execute.. $statement = $this->getAdapter()->query("Select * from test WHERE id = ?"); $result = $statement->execute(array(99)); $resultSet = new ResultSet;

问题 I need a Regex for to use with preg_replace php function in the search form input to use in SQL full text search in a MySQL multilingual utf8 database. I have considered using php filter_var with FILTER_SANITIZE_STRING , but I ended up with preg_replace : I want these features: keep spaces and only one if more in a row (serial spaces) keep double quotes and only one if more in a row(so that I could use it in phrase in IN BOOLEAN MODE ) keep - & + & '~' and only one if more in a row as I want

问题 This is a follow-up question from this that considered evalc , instead of figgling with file-descriptors manually. You can see below an example about poor sanitization. I want to remove things such as trailing characters, all whitespaces, all newlines etc -- that usually cause unexpected things -- is there a ready sanitization command to do this? EDU>> a a = 1 +1*{x} -1*{y}*{z} EDU>> b b = 1 +1*{x} -1*{y}*{z} EDU>> isequal(a,b) ans = 0 回答1: I don't know whether there exist any ready robust

问题 I currently use MySql, but would prefer an ODBC solution to make it future proof. How do I sanitize user input before passing it to an ODBC database ? And, while I'm at it, I wrap my string in double quotes, e.g. "INSERT INTO VALUES(description) ""` - but what if the text itself contains a double quote? 回答1: Try using a parametrized SQL sentence like this. INSERT INTO MyTable (Field1,Field2) VALUES (:Param1,:Param2) check this article from embarcadero for more info about how use parameters

问题 This is more of a "can you please confirm this is correct" type of question, as I think I resolved it in the process of writing the question but hopefully it will be of help to other people who are a bit hesitant when it comes to implementing DOMPurify. Short Version Is it safe/valid to import and use DOMPurify like this in frontend js file: npm install dompurify --save import DOMPurify from 'dompurify'; var clean = DOMPurify.sanitize('<img src=x onerror=alert(1)//>', {SAFE_FOR_JQUERY: true})

问题 I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP. My understanding is that this needs to be done in two places: JSON data (in Request) received from Client or Other Systems - This needs to be sanitized at Server side before being processed JSON data (in Response) to be sent to Client - This needs to be sanitized at Server side before being sent to client Is it sufficient that I just call a sanitizing method in JSON Sanitizing library on that JSON Data ? Will that