sanitization

问题 So, I think this should be fairly simple, but the documentation makes it seem somewhat more complicated. I've written an SQL function in PostgreSQL (8.1, for now) which does some cleanup on some string input. For what it's worth, the string is an LDAP distinguished name, and I want there to consistently be no spaces after the commas - and the function is clean_dn(), which returns the cleaned DN. I want to do the same thing to force all input to another couple of columns to lower case, etc -

问题 I have a record edit link that GETs a 7 character alphanumeric text string which is always ZZZZ111 in structure and is then used in a MySQL query to pull all related data for that record id. Is mysql_real_escape_string() all I need in terms of sanitizing this $_GET['id'] ? Or are there more steps to take to protect my database? 回答1: mysql_real_escape_string() will escape any malicious characters. In addition, you can use a regex like /^[A-Za-z]{4}\d{3}$/ to make sure that the user indeed

问题 I am trying to sanitize my SQL calls and I am stuck where I am using a LIKE statement. I have tried most answers on SO, but most of them are in PDO or it's very confusing. This is the original code I have which works. if(isset($_POST['search'])) { $valueToSearch = $_POST['valueToSearch']; $query = "SELECT * FROM `galleries_info` WHERE CONCAT(`Gallery_Id`,`Gallery_Name`,`Gallery_Type_Id` ) LIKE '%".$valueToSearch."%'"; $search_result = filterTable($query); } else { $search_result = "Search

问题 We had to implement an image uploader for a node.js project. As framework we are using express.js We did it like described here: http://howtonode.org/really-simple-file-uploads But we are not sure how to secure this image uploader. What we did so far is: checking the file size checking extension and header rename the file file is only accessible over a special route and is not in the root folder Is this enough? We don't feel very comfortable with the following line: // CHECKING FOR FILESIZE,

问题 I have a regex email pattern and would like to strip all but pattern-matched characters from the string, in a short I want to sanitize string... I'm not a regex guru, so what I'm missing in regex? <?php $pattern = "/^([\w\!\#$\%\&\'\*\+\-\/\=\?\^\`{\|\}\~]+\.)*[\w\!\#$\%\&\'\*\+\-\/\=\?\^\`{\|\}\~]+@((((([a-z0-9]{1}[a-z0-9\-]{0,62}[a-z0-9]{1})|[a-z])\.)+[a-z]{2,6})|(\d{1,3}\.){3}\d{1,3}(\:\d{1,5})?)$/i"; $email = 'contact<>@domain.com'; // wrong email $sanitized_email = preg_replace($pattern,

问题 I understand that using PDO makes SQL injections virtually impossible. However, I don't have time at the moment to change all the database related code in our website. (Especially since I'm new at PDO, there's some learning curve involved). So I want to know what mysql/php functions will give the same security that PDO does. Will these two points be enough? Making sure all $_GET and $_POST data are of the type expected (such as product ids should only be numerical, so I could use is_numeric )

问题 If I am storing a serialized array to a mysql database should I sanitize before or after using the serialize function. Or do I even need to sanitize at all? For example: $details['name'] = mysql_real_escape_string($_POST['name']); $details['email'] = mysql_real_escape_string($_POST['email']); $details['phone'] = mysql_real_escape_string($_POST['phone']); $serializedDetails = serialize($details); // Do SQL query Or $details['name'] = $_POST['name']; $details['email'] = $_POST['email'];

问题 I currently use MySql, but would prefer an ODBC solution to make it future proof. How do I sanitize user input before passing it to an ODBC database ? And, while I'm at it, I wrap my string in double quotes, e.g. "INSERT INTO VALUES(description) ""` - but what if the text itself contains a double quote? 回答1: Try using a parametrized SQL sentence like this. INSERT INTO MyTable (Field1,Field2) VALUES (:Param1,:Param2) check this article from embarcadero for more info about how use parameters

问题 I have a PHP application. I allow users to upload files to my web application. Question : What's the best way for me to sanitize the file names of the uploaded documents $_FILES["filename"]["tmp_name"] in PHP? UPDATE : Can I take an MD5 of the uploaded filename and use that as the newly assigned filename? If so, how do I do that in PHP? 回答1: I bet that you also store some information about the file in the database. If this is correct, then you can use the primary key (ID) as a filename on

问题 I am creating charts on the fly as SVGs using d3.js. These charts are dynamically generated based on the selections of authenticated users. Once these charts are generated, the user has the option to download the generated SVG as a PNG or PDF. The current workflow is the following: // JAVASC // get the element containing generated SVG var svg = document.getElementById("chart-container"); // Extract the data as SVG text string var svg_xml = (new XMLSerializer).serializeToString(svg); // Submit