On Fri, 29 Sep 2006 11:41:34 -0500 (CDT), "Richard Lynch" wrote:
> Consider that the user could provide *ANY* string, of any size, of any
> composition, for their "Subject"
>
> Maybe they POST a worm in Subject, and it has no newlines, but still
> manages to propogate through Outlook.
>
> Or may
On Fri, September 29, 2006 8:34 pm, Chris Shiflett wrote:
>> I'm looking for a guide, a chart, a grid, an organized systemic
>> documentation of what data should be escaped how as it travels
>> through the "glue" that is PHP...
>
> That's a great idea. Want to write it? :-) I'd be happy to help.
O
Richard Lynch wrote:
> Though I confess, I'm sometimes at a loss how to properly escape
> certain data for certain situations...
>
> Here's an example:
> Take the Subject of an email.
>
> Sure, I've sanitized it to be sure there are no newlines for header
> injection.
>
> But now how do I proper
At 11:41 AM -0500 9/29/06, Richard Lynch wrote:
On Thu, September 28, 2006 2:06 pm, tedd wrote:
I realize that you are not asking for an answer, but for a guide --
however -- isn't the real problem here simply one of injection? Just
stop the user from injecting stuff in the subject and that w
On Thu, September 28, 2006 2:06 pm, tedd wrote:
> I realize that you are not asking for an answer, but for a guide --
> however -- isn't the real problem here simply one of injection? Just
> stop the user from injecting stuff in the subject and that would fix
> it right? Or, am I underestimating th
At 11:06 AM -0500 9/28/06, Richard Lynch wrote:
Though I confess, I'm sometimes at a loss how to properly escape
certain data for certain situations...
Here's an example:
Take the Subject of an email.
Sure, I've sanitized it to be sure there are no newlines for header
injection.
But now how do
At 11:06 AM -0500 9/28/06, Richard Lynch wrote:
> What's up with that? Any ideas as to what happened?
One also has to ask WHY you would use MySQL's escaping for data that's
not going into MySQL.
That's almost certainly "wrong"
Richard:
Yes, according to:
http://us3.php.net/mysql_real_escap
On Thu, September 28, 2006 10:06 am, tedd wrote:
> In one of my snip-its, namely:
>
> http://xn--ovg.com/pdf
>
> I was generating a pdf document after the user filled in a form. I
> had been cleaning the user input by using --
>
> $name = mysql_real_escape_string($name);
>
> -- even though I wasn'
Hi gang:
In one of my snip-its, namely:
http://xn--ovg.com/pdf
I was generating a pdf document after the user filled in a form. I
had been cleaning the user input by using --
$name = mysql_real_escape_string($name);
-- even though I wasn't using MySQL (the code was a cut-paste from
some o
9 matches
Mail list logo