RE: [PHP] Preventing Cross Site Scripting Vulnerbilities

2005-12-08 Thread Ford, Mike
-Original Message- From: Jason Gerfen [mailto:[EMAIL PROTECTED] Sent: 07 December 2005 19:34 To: comex Cc: php-general@lists.php.net Subject: Re: [PHP] Preventing Cross Site Scripting Vulnerbilities function chk_input( $string ) { if( eregi( ^[0-9a-z_ -]$, $string

Re: [PHP] Preventing Cross Site Scripting Vulnerbilities

2005-12-08 Thread Michael B Allen
On Wed, 07 Dec 2005 14:33:07 -0500 Chris Shiflett [EMAIL PROTECTED] wrote: Michael B Allen wrote: Can someone recommend a general method for avoiding / eliminating XSS vulnerbilities with PHP? Yeah, escape output. It's really that simple. Well after looking at this for a while I agree

[PHP] Preventing Cross Site Scripting Vulnerbilities

2005-12-07 Thread Michael B Allen
Can someone recommend a general method for avoiding / eliminating XSS vulnerbilities with PHP? Specifically is there a library function for validating fields? If not, can someone recommend a regex that detects HTML tags? Similarly is there a library function for escaping database content for

Re: [PHP] Preventing Cross Site Scripting Vulnerbilities

2005-12-07 Thread comex
Similarly is there a library function for escaping database content for inclusion in HTML pages? http://php.net/htmlspecialchars http://php.net/htmlentities -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing Cross Site Scripting Vulnerbilities

2005-12-07 Thread Chris Shiflett
Michael B Allen wrote: Can someone recommend a general method for avoiding / eliminating XSS vulnerbilities with PHP? Yeah, escape output. It's really that simple. Curt Zirzow made a nice post related to this topic yesterday., and here's a simple example: http://phpsecurity.org/code/ch01-4

Re: [PHP] Preventing Cross Site Scripting Vulnerbilities

2005-12-07 Thread Jason Gerfen
comex wrote: Similarly is there a library function for escaping database content for inclusion in HTML pages? http://php.net/htmlspecialchars http://php.net/htmlentities Or roll your own and replace the eregi regex with data that is valid to your application: function chk_input(

Re: [PHP] Preventing Cross Site Scripting Vulnerbilities

2005-12-07 Thread Ray Hauge
There's been a lot of great articles in the PHP|Architect magazine over the past 3 months or so about this (http://www.phparch.com) You do have to purchase back-issues though. Very good articles though. They cover how to make functions to filter what variables should be sent in, and how to

Re: [PHP] Preventing Cross Site Scripting Vulnerbilities

2005-12-07 Thread Chris Shiflett
Ray Hauge wrote: There's been a lot of great articles in the PHP|Architect magazine over the past 3 months or so about this (http://www.phparch.com) You do have to purchase back-issues though. Past editions of Security Corner are eventually available for free from my web site: