sanitization

I've seen different comments all over the place, some say that zend framework automatically sanitizes post/get data but others say it doesn't. What's the deal? I've seen that doing it in the predispatch with a foreach on getParams is the quickest way, but does anyone have any suggestions? Probably the deal is about Zend_Controller_Request vs the Zend_Db . Request data are often put into the DB. Request object does not escape anything. You may force it to do using filters, form filters or e.g. using the reflection technique described here: Actions, now with parameters! Zend_Db queries are

There is a Node.js project that sanitizes data and there is an OWASP library for JavaScript that handles sanitization to prevent XSS. I have been benchmarking these libraries, and they are pretty intensive and maybe an overkill, my application does not need any dynamic HTML (submitted by users, bbtags or what ever, not required at all) so why not do it like this: Disable " < " and " > " characters, don't replace them or anything, just disable them, if the user submits these, give them a warning that these are disabled (client- and server-side validation) & => & " => " ' => ' / => / Encode

I am using php 5.4.4 running as UTF-8, and im not sure if I am using htmlspecialchars right. My strings / vars look like this: $text = "<p><span class='clx'>By:</span> ".htmlspecialchars($foo)."</span></p>"; echo $text; Do I have need to use ENT_QUOTES or is that only necessary when I have to echo something inside eg: href="$foo" or id='$foo' ? Atm, om only using htmlspecialchars inside closed html tags and not attributes. Just concatenate the var inside the string within a <p> tag and a </p> tag Thanks You should generally use it when taking data from database and inserting it into html

What is the best way to escape strings for sql inserts, updates? I want to allow special characters including ' and ". Is the best way to search and replace each string before I use it in an insert statement? Thanks Duplicate of: Best way to defend against mysql injection and cross site scripting You should be using parameterized queries (so by extension, a DB interface library that supports parameterized queries) so that SQL injection can't happen. If you're talking about data values for your fields, then the best way is to use mysql_real_escape_string() . (Some people like mysqli ; can't say

I'm working on a database driven site which is using normal database methods rather than prepared statements. Because of this I have to sanitise POST and GET variables when passed to a form action PHP script. There is a sanitise method defined which attempts to sanitise the user input as best as possible but I am trying to cut down the code that tests for the POST and GET variable's existence and the code for defining variables with default values if they don't exist. This is what I came up with but its leaving a bad taste in mine and other dev's mouth as we all feel that the error suppression

I have implemented a search engine in C for my html website. My entire web is programmed in C. I understand that html input sanitization is necessary because an attacker can input these 2 html snippets into my search page to trick my search page into downloading and displaying foreign images/scripts (XSS): <img src="path-to-attack-site"/> <script>...xss-code-here...</script> Wouldn't these attacks be prevented simply by searching for '<' and '>' and stripping them from the search query ? Wouldn't that render both scripts useless since they would not be considered html ? I've seen html