Re: art.gnome.org stuff

From: Dave Foster <daf minuslab net>
To: artweb-list gnome org
Subject: Re: art.gnome.org stuff
Date: Tue, 26 Jul 2005 00:18:30 +0000

On Tue, 2005-07-26 at 00:55 +0200, Benjamin Berg wrote:
> So you suggest stripping all $_GET and $_POST vars on page load? This
> would work, but also means, that the mysql queries need to be checked,
> to prevent attacks.

Well, my original intentions didn't have anything to do with anything
going into the database.. just the display coming out.  As far as I can
see, this can be solved by adding a stripslashes() either in the
function I mentioned (html_parse_text or whatever) or, more
specifically, in the backgrounds file that actually contains the comment
output.

> The specific problem with comments should be fixed. I have posted a
> patch for the last bug related to comments (was a dynamic login
> problem). 

I've just joined the list, so I'm a bit new to this whole thing.  Can
you link me to what you are referring to?  Thanks.

> But there are still problems in account.php. I have even seen
> a user with a \' in the user name, but don't recall exactly where it
> was.

Aye, so it's a problem in other areas as well.  There's really no
question, database text usually HAS to be backslashed in order to be
stored appropriately.  If all text in the DB is backslashed, then all
instances of it coming out should have those slashes stripped out.

-- 
Dave Foster <daf minuslab net>

Follow-Ups:
- Re: art.gnome.org stuff
  - From: Thomas Wood

References:
- Re: art.gnome.org stuff
  - From: Thomas Wood
- Re: art.gnome.org stuff
  - From: Dave Foster
- Re: art.gnome.org stuff
  - From: Benjamin Berg

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]