sanitization

Assume we have a website that asks the user for his name. The website then stores this value in a cookie, and on the next page, retrieves it via PHP and uses it somehow (perhaps the page displays the name as text). Could a user modify the cookie data to inject malicious code? Should cookie data be sanitized as it's retrieved by the script? (This is a hypothetical scenario. Obviously a cookie wouldn't be necessary here.) Could a user modify the cookie data to inject malicious code? Should cookies be sanitized as they're retrieved by the script? Inject malicious code? Not PHP code, but you are

The goal of this regex is to remove punctuation characters: var myTxt = "Welcome, Visitor: The Royal Kingdom Of Báenou"; myTxt = myTxt.replace(/[^a-zA-Z0-9 ]+/g, '').replace('/ {2,}/',' '); alert(myTxt); So the text above should become this: Welcome Visitor The Royal Kingdom Of Báenou But instead it incorrectly drops the á in Báenou to produce this: Welcome Visitor The Royal Kingdom Of Benou What's the simplest change I could make to the regex to make it work as intended? Your problem is that you are dropping anything that is not in a "whitelist" which you define as all (non-accented) letters,

CakePHP has a global function called h . It's a convenience method for htmlspecialchars . CakePHP also has a utility called Sanitize , which has a method called html . Here is part of its description: This method prepares user-submitted data for display inside HTML. This is especially useful if you don’t want users to be able to break your layouts or insert images or scripts inside of your HTML pages. When should each be used? Is one better than the other? Costa Sanitize::html() is more versatile: it lets you strip the HTML completely (via remove option), and lets you specify the how it

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 7 years ago . Can someone recommend an up to date library for data Sanitization in PHP ? I am looking for a library that proposes a set of functions for data sanitization. Email validation/sanitization (remove those %0A, \r...), strip htlm

I wanted to write a javascript function to sanitize user input and remove any unwanted and dangerous characters. It must allow only the following characters: Alfanumeric characters (case insentitive): [a-z][0-9]. Inner whitespace, like "word1 word2". Spanish characters (case insentitive): [áéíóúñü]. Underscore and hyphen [_-]. Dot and comma [.,]. Finally, the string must be trimmed with trim(). My first attempt was: function sanitizeString(str){ str = str.replace(/[^a-z0-9áéíóúñü_-\s\.,]/gim,""); return str.trim(); } But if I did: sanitizeString("word1\nword2") it returns: "word1 word2" So I

What do you all think is the correct (read: most flexible, loosely coupled, most robust, etc.) way to make user input from the web safe for use in various parts of a web application? Obviously we can just use the respective sanitization functions for each context (database, display on screen, save on disk, etc.), but is there some general "pattern" for handling unsafe data and making it safe? Is there an established way to enforce treating it as unsafe unless it is properly made safe? Like it's already been said, there are several things to take into account when you are concerned about web

For HTML input, I want to neutralize all HTML elements that have inline js (onclick="..", onmouseout=".." etc). I am thinking, isn't it enough to encode the following chars? =,(,) So onclick="location.href='ggg.com'" will become onclick%3D"location.href%3D'ggg.com'" What am I missing here? Edit: I do need to accept active HTML (I can't escape it all or entities is it). Kornel There's no simple method to accept HTML, but not scripts. You have to parse HTML to DOM, remove all unwanted elements and attributes in DOM and generate new HTML. It can't be done reliably with regular expressions . on *

I am using a javascript date picker that allows the user to select a date. However, I would like to also sanitize the posted date data before entering into the database. I am not seeing any sanitize filter here: http://us2.php.net/manual/en/filter.filters.sanitize.php What would be the best method to sanitize a date before entering into a database? This would be the original value from the post: $datepick = $_POST['date']; // wich is 04/12/2014 Then I convert it for the database: $date = date("Y-m-d", strtotime($datepick)); Thanks! If your date is like "03/02/2014" then you can simply clean