Re: [GENERAL] stripping HTML, SQL injections ...
At 5:51p -0500 on 14 Nov 2007, A.M. wrote: On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote: On Nov 14, 2007 2:40 PM, madhtr [EMAIL PROTECTED] wrote: Quick question, are there any native functions in PostGreSQL 8.1.4 that will strip HTML tags, escape chars, etc? I can't think of a lot of native functions, but it's sure easy enough to roll your own with things like the regex functionality built in. Please don't do that- there are corner cases where a naive regex can fail, leaving the programmer thinking he is covered when he is not. The variety of web languages include filtering modules (HTML::Scrubber)- in the case of Perl or PHP, it can even be run server-side. Furthermore, one shouldn't use an API which allows for SQL injections. Sorry for the 4-day late response (out of town). Doesn't Postgres do the escaping for you if you prepare the statement before hand? It still doesn't remove the HTML tags, though ... Kevin ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [GENERAL] stripping HTML, SQL injections ...
Alvaro Herrera ha scritto: Martin Gainty escribió: this is a very simple html tag strip routine I dont understand what security you had in mind .. so I take it you're not a fan of dojo or GWT? Let's say the user disables javascript on the browser? or more easily, an attacker can use the firefox web developer toolbar to manipulate forms data... -- Non c'e' piu' forza nella normalita', c'e' solo monotonia. signature.asc Description: OpenPGP digital signature
Re: [GENERAL] stripping HTML, SQL injections ...
madhtr wrote: Quick question, are there any native functions in PostGreSQL 8.1.4 that will strip HTML tags, escape chars, etc? Using an SQL function to circumvent SQL injections probably isn't the wisest of ideas. -- Peter Eisentraut http://developer.postgresql.org/~petere/ ---(end of broadcast)--- TIP 4: Have you searched our list archives? http://archives.postgresql.org/
[GENERAL] stripping HTML, SQL injections ...
Quick question, are there any native functions in PostGreSQL 8.1.4 that will strip HTML tags, escape chars, etc? thanx:) ---(end of broadcast)--- TIP 6: explain analyze is your friend
Re: [GENERAL] stripping HTML, SQL injections ...
On Nov 14, 2007 2:40 PM, madhtr [EMAIL PROTECTED] wrote: Quick question, are there any native functions in PostGreSQL 8.1.4 that will strip HTML tags, escape chars, etc? I can't think of a lot of native functions, but it's sure easy enough to roll your own with things like the regex functionality built in. ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [GENERAL] stripping HTML, SQL injections ...
On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote: On Nov 14, 2007 2:40 PM, madhtr [EMAIL PROTECTED] wrote: Quick question, are there any native functions in PostGreSQL 8.1.4 that will strip HTML tags, escape chars, etc? I can't think of a lot of native functions, but it's sure easy enough to roll your own with things like the regex functionality built in. Please don't do that- there are corner cases where a naive regex can fail, leaving the programmer thinking he is covered when he is not. The variety of web languages include filtering modules (HTML::Scrubber)- in the case of Perl or PHP, it can even be run server-side. Furthermore, one shouldn't use an API which allows for SQL injections. Cheers, M ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings
Re: [GENERAL] stripping HTML, SQL injections ...
Scott- In JavaScript http://www.java2s.com/Tutorial/JavaScript/0520__Regular-Expressions/StripHTM L.htm M-- - Original Message - From: Scott Marlowe [EMAIL PROTECTED] To: A.M. [EMAIL PROTECTED] Cc: pgsql-general pgsql-general@postgresql.org Sent: Wednesday, November 14, 2007 6:16 PM Subject: Re: [GENERAL] stripping HTML, SQL injections ... On Nov 14, 2007 4:51 PM, A.M. [EMAIL PROTECTED] wrote: On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote: On Nov 14, 2007 2:40 PM, madhtr [EMAIL PROTECTED] wrote: Quick question, are there any native functions in PostGreSQL 8.1.4 that will strip HTML tags, escape chars, etc? I can't think of a lot of native functions, but it's sure easy enough to roll your own with things like the regex functionality built in. Please don't do that- there are corner cases where a naive regex can fail, leaving the programmer thinking he is covered when he is not. The variety of web languages include filtering modules (HTML::Scrubber)- in the case of Perl or PHP, it can even be run server-side. And given that pl/PHP can run that inside the database, there's a reason you can't do it there? Furthermore, one shouldn't use an API which allows for SQL injections. Oh heck, I hadn't even noticed he was asking about escaping things. I guess it really matters what he means by escaping them. If he's talking url encoding decoding, that's something you could do safely in the db (again, with something like pl/PHP or pl/perl) but SQL escaping should be done before the db ever sees the data. ---(end of broadcast)--- TIP 6: explain analyze is your friend ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings
Re: [GENERAL] stripping HTML, SQL injections ...
Martin, 2000/11/15, Martin Gainty [EMAIL PROTECTED]: Scott- In JavaScript http://www.java2s.com/Tutorial/JavaScript/0520__Regular-Expressions/StripHTM L.htm I don't remember what the consensus was back in 2000 (your mail's timestamp), but in 2007 it's Not A Good Idea to rely on client-side validation for security-related operations ;). Regards Ian Barwick -- http://sql-info.de/index.html ---(end of broadcast)--- TIP 6: explain analyze is your friend
Re: [GENERAL] stripping HTML, SQL injections ...
this is a very simple html tag strip routine I dont understand what security you had in mind .. so I take it you're not a fan of dojo or GWT? M-- - Original Message - From: Ian Barwick [EMAIL PROTECTED] Cc: Scott Marlowe [EMAIL PROTECTED]; pgsql-general pgsql-general@postgresql.org Sent: Wednesday, November 14, 2007 7:21 PM Subject: Re: [GENERAL] stripping HTML, SQL injections ... Martin, 2000/11/15, Martin Gainty [EMAIL PROTECTED]: Scott- In JavaScript http://www.java2s.com/Tutorial/JavaScript/0520__Regular-Expressions/StripHTM L.htm I don't remember what the consensus was back in 2000 (your mail's timestamp), but in 2007 it's Not A Good Idea to rely on client-side validation for security-related operations ;). Regards Ian Barwick -- http://sql-info.de/index.html ---(end of broadcast)--- TIP 6: explain analyze is your friend ---(end of broadcast)--- TIP 6: explain analyze is your friend
Re: [GENERAL] stripping HTML, SQL injections ...
Martin Gainty escribió: this is a very simple html tag strip routine I dont understand what security you had in mind .. so I take it you're not a fan of dojo or GWT? Let's say the user disables javascript on the browser? -- Alvaro Herrerahttp://www.advogato.org/person/alvherre Aprende a avergonzarte más ante ti que ante los demás (Demócrito) ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [GENERAL] stripping HTML, SQL injections ...
On Nov 14, 2007 4:51 PM, A.M. [EMAIL PROTECTED] wrote: On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote: On Nov 14, 2007 2:40 PM, madhtr [EMAIL PROTECTED] wrote: Quick question, are there any native functions in PostGreSQL 8.1.4 that will strip HTML tags, escape chars, etc? I can't think of a lot of native functions, but it's sure easy enough to roll your own with things like the regex functionality built in. Please don't do that- there are corner cases where a naive regex can fail, leaving the programmer thinking he is covered when he is not. The variety of web languages include filtering modules (HTML::Scrubber)- in the case of Perl or PHP, it can even be run server-side. And given that pl/PHP can run that inside the database, there's a reason you can't do it there? Furthermore, one shouldn't use an API which allows for SQL injections. Oh heck, I hadn't even noticed he was asking about escaping things. I guess it really matters what he means by escaping them. If he's talking url encoding decoding, that's something you could do safely in the db (again, with something like pl/PHP or pl/perl) but SQL escaping should be done before the db ever sees the data. ---(end of broadcast)--- TIP 6: explain analyze is your friend