sanitization

For just regular use in my PHP code, that is. Not like I'm going to pass it to my queries or anything. If you pass them to SQL queries, you get an SQL injection If you use them to form file names, you get an arbitrary file reading vulnerability If you output them as-is to the user as a part of HTML page, you get an XSS vulnerability If you output them to a file, you may get a malformed file if it has some predetermined formatting If you're just comparing the value with a set of predefined values, you're fine. If you're converting it to a number, you're fine as long as any number works for you

Say that I want to provide some data to my client (in the first response, with no latency) via a dynamic <script> element. <script><%= payload %></script> Say that payload is the string var data = '</script><script>alert("Muahahaha!")';</script> . An end tag ( </script> ) will allow users to inject arbitrary scripts into my page. How do I properly sanitize the contents of my script element? I figure I could change </script> to <\/script> and <!-- to <\!-- . Are there any other dangerous strings I need to escape? Is there a better way to provide this "cold start" data? Cody Gustafson Edited for

I want to make sure a file path set via query string does not go outside of the desired subdirectory. Right now, I am checking that: The path does not start with " / ", to prevent the user from giving an absolute path. The path does not contain " .. ", to prevent the user from giving a path that is outside of the desired subdirectory. The path does not contain " : ", to prevent the use of a url (i.e. " http:// ", " ftp:// ", etc.). Should I ever run this script on a Windows server (not likely), this will also prevent absolute paths beginning with a drive specifier (i.e. " C:\ "). Note: I'm

This is in reference to this (excellent) answer . He states that the best solution for escaping input in PHP is to call mb_convert_encoding followed by html_entities . But why exactly would you call mb_convert_encoding with the same to and from parameters (UTF8)? Excerpt from the original answer: Even if you use htmlspecialchars($string) outside of HTML tags, you are still vulnerable to multi-byte charset attack vectors. The most effective you can be is to use the a combination of mb_convert_encoding and htmlentities as follows. $str = mb_convert_encoding($str, 'UTF-8', 'UTF-8'); $str =

I'm trying to modify an user submitted input before validation success. I've followed this easy instructions , but when I test it on Laravel 5.1, It's not working. Am I doing something wrong? This is my Request class on SSHAM\Http\Requests\UserCreateRequest.php <?php namespace SSHAM\Http\Requests; use SSHAM\Http\Requests\Request; class UserCreateRequest extends Request { // Some stuff not related with this problem /** * Get the validation rules that apply to the request. * * @return array */ public function rules() { // Only for debug $prova = $this->all(); echo "<pre>Inside Request - Before

What are some good PHP html (input) sanitizers? Preferably, if something is built in - I'd like to us that. UPDATE : Per the request, via comments, input should not allow HTML (and obviously prevent XSS & SQL Injection, etc). html purifier -> http://htmlpurifier.org/ I've always used PHP's addslashes() and stripslashes() functions, but I also just saw the built-in filter_var() function ( link ). Looks like there are quite a few built-in filters . If you want to run a query that use let's say $_GET['user'] a nice solution would be to do something like this using mysql_real_escape_string() : <

What are the dangerous characters that should be replaced in user input when the users' input will be inserted in a MySQL query? I know about quotes, double quotes, \r and \n. Are there others? (I don't have the option of using a smart connector that accepts parameters so I have to build the query myself and this will be implemented in multiple programming languages, including some obscure ones so solutions such as mysql_real_escape_string in PHP are not valid) mysql_real_escape_string() from mysql.com docs: The string in from is encoded to an escaped SQL string, taking into account the