Re: [GENERAL] stripping HTML, SQL injections ...
On Nov 14, 2007 2:40 PM, madhtr <[EMAIL PROTECTED]> wrote: > Quick question, are there any native functions in PostGreSQL 8.1.4 that will > strip HTML tags, escape chars, etc? I can't think of a lot of native functions, but it's sure easy enough to roll your own with things like the regex functionality built in. ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [GENERAL] stripping HTML, SQL injections ...
On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote: On Nov 14, 2007 2:40 PM, madhtr <[EMAIL PROTECTED]> wrote: Quick question, are there any native functions in PostGreSQL 8.1.4 that will strip HTML tags, escape chars, etc? I can't think of a lot of native functions, but it's sure easy enough to roll your own with things like the regex functionality built in. Please don't do that- there are corner cases where a naive regex can fail, leaving the programmer thinking he is covered when he is not. The variety of web languages include filtering modules (HTML::Scrubber)- in the case of Perl or PHP, it can even be run server-side. Furthermore, one shouldn't use an API which allows for SQL injections. Cheers, M ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings
Re: [GENERAL] stripping HTML, SQL injections ...
Scott- In JavaScript http://www.java2s.com/Tutorial/JavaScript/0520__Regular-Expressions/StripHTM L.htm M-- - Original Message - From: "Scott Marlowe" <[EMAIL PROTECTED]> To: "A.M." <[EMAIL PROTECTED]> Cc: "pgsql-general" Sent: Wednesday, November 14, 2007 6:16 PM Subject: Re: [GENERAL] stripping HTML, SQL injections ... > On Nov 14, 2007 4:51 PM, A.M. <[EMAIL PROTECTED]> wrote: > > > > > > On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote: > > > > > On Nov 14, 2007 2:40 PM, madhtr <[EMAIL PROTECTED]> wrote: > > >> Quick question, are there any native functions in PostGreSQL 8.1.4 > > >> that will > > >> strip HTML tags, escape chars, etc? > > > > > > I can't think of a lot of native functions, but it's sure easy enough > > > to roll your own with things like the regex functionality built in. > > > > Please don't do that- there are corner cases where a naive regex can > > fail, leaving the programmer thinking he is covered when he is not. > > The variety of web languages include filtering modules > > (HTML::Scrubber)- in the case of Perl or PHP, it can even be run > > server-side. > > And given that pl/PHP can run that inside the database, there's a > reason you can't do it there? > > > Furthermore, one shouldn't use an API which allows for SQL injections. > > Oh heck, I hadn't even noticed he was asking about escaping things. I > guess it really matters what he means by escaping them. If he's > talking url encoding decoding, that's something you could do safely in > the db (again, with something like pl/PHP or pl/perl) but SQL escaping > should be done before the db ever sees the data. > > ---(end of broadcast)--- > TIP 6: explain analyze is your friend > ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings
Re: [GENERAL] stripping HTML, SQL injections ...
Martin, 2000/11/15, Martin Gainty <[EMAIL PROTECTED]>: > Scott- > > In JavaScript > http://www.java2s.com/Tutorial/JavaScript/0520__Regular-Expressions/StripHTM > L.htm I don't remember what the consensus was back in 2000 (your mail's timestamp), but in 2007 it's Not A Good Idea to rely on client-side validation for security-related operations ;). Regards Ian Barwick -- http://sql-info.de/index.html ---(end of broadcast)--- TIP 6: explain analyze is your friend
Re: [GENERAL] stripping HTML, SQL injections ...
this is a very simple html tag strip routine I dont understand what security you had in mind .. so I take it you're not a fan of dojo or GWT? M-- - Original Message - From: "Ian Barwick" <[EMAIL PROTECTED]> Cc: "Scott Marlowe" <[EMAIL PROTECTED]>; "pgsql-general" Sent: Wednesday, November 14, 2007 7:21 PM Subject: Re: [GENERAL] stripping HTML, SQL injections ... > Martin, > > 2000/11/15, Martin Gainty <[EMAIL PROTECTED]>: > > Scott- > > > > In JavaScript > > http://www.java2s.com/Tutorial/JavaScript/0520__Regular-Expressions/StripHTM > > L.htm > > I don't remember what the consensus was back in 2000 (your mail's > timestamp), but in 2007 it's Not A Good Idea to rely on client-side > validation for security-related operations ;). > > > Regards > > Ian Barwick > > > -- > http://sql-info.de/index.html > > ---(end of broadcast)--- > TIP 6: explain analyze is your friend > ---(end of broadcast)--- TIP 6: explain analyze is your friend
Re: [GENERAL] stripping HTML, SQL injections ...
Martin Gainty escribió: > this is a very simple html tag strip routine > I dont understand what security you had in mind .. > > so I take it you're not a fan of dojo or GWT? Let's say the user disables javascript on the browser? -- Alvaro Herrerahttp://www.advogato.org/person/alvherre "Aprende a avergonzarte más ante ti que ante los demás" (Demócrito) ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [GENERAL] stripping HTML, SQL injections ...
On Nov 14, 2007 4:51 PM, A.M. <[EMAIL PROTECTED]> wrote: > > > On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote: > > > On Nov 14, 2007 2:40 PM, madhtr <[EMAIL PROTECTED]> wrote: > >> Quick question, are there any native functions in PostGreSQL 8.1.4 > >> that will > >> strip HTML tags, escape chars, etc? > > > > I can't think of a lot of native functions, but it's sure easy enough > > to roll your own with things like the regex functionality built in. > > Please don't do that- there are corner cases where a naive regex can > fail, leaving the programmer thinking he is covered when he is not. > The variety of web languages include filtering modules > (HTML::Scrubber)- in the case of Perl or PHP, it can even be run > server-side. And given that pl/PHP can run that inside the database, there's a reason you can't do it there? > Furthermore, one shouldn't use an API which allows for SQL injections. Oh heck, I hadn't even noticed he was asking about escaping things. I guess it really matters what he means by escaping them. If he's talking url encoding decoding, that's something you could do safely in the db (again, with something like pl/PHP or pl/perl) but SQL escaping should be done before the db ever sees the data. ---(end of broadcast)--- TIP 6: explain analyze is your friend
Re: [GENERAL] stripping HTML, SQL injections ...
Alvaro Herrera ha scritto: > Martin Gainty escribió: >> this is a very simple html tag strip routine >> I dont understand what security you had in mind .. >> >> so I take it you're not a fan of dojo or GWT? > > Let's say the user disables javascript on the browser? or more easily, an attacker can use the firefox web developer toolbar to manipulate forms data... -- Non c'e' piu' forza nella normalita', c'e' solo monotonia. signature.asc Description: OpenPGP digital signature
Re: [GENERAL] stripping HTML, SQL injections ...
madhtr wrote: > Quick question, are there any native functions in PostGreSQL 8.1.4 that > will strip HTML tags, escape chars, etc? Using an SQL function to circumvent SQL injections probably isn't the wisest of ideas. -- Peter Eisentraut http://developer.postgresql.org/~petere/ ---(end of broadcast)--- TIP 4: Have you searched our list archives? http://archives.postgresql.org/
Re: [GENERAL] stripping HTML, SQL injections ...
At 5:51p -0500 on 14 Nov 2007, A.M. wrote: > On Nov 14, 2007, at 4:23 PM, Scott Marlowe wrote: > >> On Nov 14, 2007 2:40 PM, madhtr <[EMAIL PROTECTED]> wrote: >>> Quick question, are there any native functions in PostGreSQL 8.1.4 >>> that will strip HTML tags, escape chars, etc? >> >> I can't think of a lot of native functions, but it's sure easy enough >> to roll your own with things like the regex functionality built in. > > Please don't do that- there are corner cases where a naive regex can > fail, leaving the programmer thinking he is covered when he is not. The > variety of web languages include filtering modules (HTML::Scrubber)- in > the case of Perl or PHP, it can even be run server-side. > > Furthermore, one shouldn't use an API which allows for SQL injections. Sorry for the 4-day late response (out of town). Doesn't Postgres do the escaping for you if you prepare the statement before hand? It still doesn't remove the HTML tags, though ... Kevin ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
