On Fri, 29 Sep 2006 11:41:34 -0500 (CDT), Richard Lynch wrote:
Consider that the user could provide *ANY* string, of any size, of any
composition, for their Subject
Maybe they POST a worm in Subject, and it has no newlines, but still
manages to propogate through Outlook.
Or maybe it's
On Fri, September 29, 2006 8:34 pm, Chris Shiflett wrote:
I'm looking for a guide, a chart, a grid, an organized systemic
documentation of what data should be escaped how as it travels
through the glue that is PHP...
That's a great idea. Want to write it? :-) I'd be happy to help.
Okay.
We
On Thu, September 28, 2006 2:06 pm, tedd wrote:
I realize that you are not asking for an answer, but for a guide --
however -- isn't the real problem here simply one of injection? Just
stop the user from injecting stuff in the subject and that would fix
it right? Or, am I underestimating the
At 11:41 AM -0500 9/29/06, Richard Lynch wrote:
On Thu, September 28, 2006 2:06 pm, tedd wrote:
I realize that you are not asking for an answer, but for a guide --
however -- isn't the real problem here simply one of injection? Just
stop the user from injecting stuff in the subject and that
Richard Lynch wrote:
Though I confess, I'm sometimes at a loss how to properly escape
certain data for certain situations...
Here's an example:
Take the Subject of an email.
Sure, I've sanitized it to be sure there are no newlines for header
injection.
But now how do I properly escape
Hi gang:
In one of my snip-its, namely:
http://xn--ovg.com/pdf
I was generating a pdf document after the user filled in a form. I
had been cleaning the user input by using --
$name = mysql_real_escape_string($name);
-- even though I wasn't using MySQL (the code was a cut-paste from
some
On Thu, September 28, 2006 10:06 am, tedd wrote:
In one of my snip-its, namely:
http://xn--ovg.com/pdf
I was generating a pdf document after the user filled in a form. I
had been cleaning the user input by using --
$name = mysql_real_escape_string($name);
-- even though I wasn't using
At 11:06 AM -0500 9/28/06, Richard Lynch wrote:
What's up with that? Any ideas as to what happened?
One also has to ask WHY you would use MySQL's escaping for data that's
not going into MySQL.
That's almost certainly wrong
Richard:
Yes, according to:
At 11:06 AM -0500 9/28/06, Richard Lynch wrote:
Though I confess, I'm sometimes at a loss how to properly escape
certain data for certain situations...
Here's an example:
Take the Subject of an email.
Sure, I've sanitized it to be sure there are no newlines for header
injection.
But now how
9 matches
Mail list logo
