Re: art.gnome.org stuff
- From: Dave Foster <daf minuslab net>
- To: artweb-list gnome org
- Subject: Re: art.gnome.org stuff
- Date: Tue, 26 Jul 2005 00:18:30 +0000
On Tue, 2005-07-26 at 00:55 +0200, Benjamin Berg wrote:
> So you suggest stripping all $_GET and $_POST vars on page load? This
> would work, but also means, that the mysql queries need to be checked,
> to prevent attacks.
Well, my original intentions didn't have anything to do with anything
going into the database.. just the display coming out. As far as I can
see, this can be solved by adding a stripslashes() either in the
function I mentioned (html_parse_text or whatever) or, more
specifically, in the backgrounds file that actually contains the comment
output.
> The specific problem with comments should be fixed. I have posted a
> patch for the last bug related to comments (was a dynamic login
> problem).
I've just joined the list, so I'm a bit new to this whole thing. Can
you link me to what you are referring to? Thanks.
> But there are still problems in account.php. I have even seen
> a user with a \' in the user name, but don't recall exactly where it
> was.
Aye, so it's a problem in other areas as well. There's really no
question, database text usually HAS to be backslashed in order to be
stored appropriately. If all text in the DB is backslashed, then all
instances of it coming out should have those slashes stripped out.
--
Dave Foster <daf minuslab net>
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]