|
So I found a security hole in my register page. Basically, the javascript that checks the inputs only checks for string length. So <textarea> would pass javascripts checks. However, in php I strip html tags. Then I check if the string is empty. This does not account for whitespaces though! So, " <img>" would pass all checks ( empty() only checks if the string is null or empty).
That is:
Javascript would see there is enough chars.
PHP would strip the html tags, leaving us with " " (from above).
And empty would check to see if the string is null or empty (does not include whitespaces).
This brings something to question. Would the trim function work after I strip html tags? As the link says,"This function returns a string with whitespace stripped from the beginning and end of str." So if the string only contains whitespaces does it still strip it?
|
|
|
|
|
≡
|
2010 Dec 12 at 20:49 UTC
|
|
|
Rockbomb
Dog fucker (but in a good way now)
2009 Nov 14 • 2045
|
Just write something that disallows "<", ">", "/", and ":", like I already told you to do earlier.
|
|
|
|
|
≡
|
2010 Dec 12 at 20:51 UTC
|
|
|
|
There is a lot more to do than jus' that.
Quote: remember that trim doesn't work inside a string, just on the borders
New question: How do I strip whitespaces within a string?
php code
<?php
preg_replace("/\s/g","",$string);
?>
|
|
|
|
|
≡
|
2010 Dec 12 at 21:02 UTC
— Ed. 2010 Dec 13 at 06:34 UTC
|
|
|
|
So here is what I have, its pretty simple. This will disallow HTML tags, PHP tags, whitespaces (spaces, tabs, line breaks, carriage returns, etc.).
php code
<?php
class Protect
{
public function Strip($string)
{
if (!empty($string))
{
$string = html_entity_decode($string);
$string = strip_tags($string);
$string = trim($string);
$string = preg_replace("/\s/","",$string);
}
else
{
return false;
}
return $string;
}
}
?>
|
|
|
|
|
≡
|
2010 Dec 14 at 00:28 UTC
|
|
|
|
Don't use Javascript (client side) for security. It won't work.
Don't use strip_tags either, it is easy to get around.
If you don't want to allow HTML tags, use htmlentities(), or just replace < with <.
Also, replacing all whitespace after trim() is redundant.
And why do you want to remove all whitespace? That seems odd.
|
|
|
|
|
≡
|
2010 Dec 14 at 07:36 UTC
— Ed. 2010 Dec 14 at 07:36 UTC
|
|
|
Down Rodeo
Cap'n Moth of the Firehouse
2007 Oct 19 • 5486
57,583 ₧
|
Becausepostslookbetterlikethis.
|
|
|
|
|
≡
|
2010 Dec 14 at 22:59 UTC
|
|
|
Rockbomb
Dog fucker (but in a good way now)
2009 Nov 14 • 2045
|
I̜̯̖͔͛͂̂ ͊ͬͬ̂͟tͮ̿̽ͧ̂ͅh́̚i̳͔̓n̗̠͇͇̎̀ͅͅḳ̣̒̑̂ͮ ̟̩̭̘ͧ͗̑̊ͨͭ́̕p̥̄̄ͧ̌̋͗ò̡̄̚s̛̬͈̎t̷̘̥̳̯͚̿s̳̙̈́̒ͫ ̟̓̅̐̽̈́ͤͬͅl͈͜õ̟̙̓͛́ͤo̧̟̩̠̲̿́̉ͫ̚̚ķ̖̱͇̲͙̝̰͑ ̠̺͓͓͕͚̥̈ͮ́t̷̮̻̙͗̂̏̄ḧ̫̥̬́̇ͫ͐e̺̺͚ͦ̒̅̽ͭ̔͌ ̤̈́ͥ̑͐b̘̬̍́ͩ̓e̲͇̻̜͡s͊̅̑̐̅ͣ̿͏̖t̍̍ͧ ͕͋l̒̒ͤ́̃ͩ͏͉̟̲̲̬i͌ͦͭͦ̔ͯ̓ḱ̤͖ͪ̒ͭ͋̇e̳͎͘ ͉̝̫̱͓̟ͩ̇ͨ͑ͥt̺̣̲̦̽́̓͡h̜̘̥̀́̍̒ͯ͗̄͟i̮͓̳͊̓͊ͬ̆̄̄s̷̞͖̳͈̘ͥͫͅ.͐
|
|
|
|
|
≡
|
2010 Dec 14 at 23:09 UTC
|
|
|
aaronjer
*****'n Admin
2005 Mar 21 • 5046
1,227 ₧
|
Okay, it looks like you are posting as captcha. I wish I could always post in captcha.
|
|
|
|
|
≡
|
2010 Dec 15 at 03:31 UTC
— Ed. 2010 Dec 15 at 03:31 UTC
|
|
|
|
I̜̯ ͊ͬtͮ̿h́̚i̳͔n̗̠ḳ̣̒ ̟̩p̥̄ò̡̄s̛̬t̷̘s̳̙ ̟̓l͈͜õ̟̙o̧̟ķ̖̱ ̠̺t̷̮ḧ̫̥e̺̺ ̤̈b̘̬e̲͇s͊̅t̍̍ ͕͋l̒̒i͌ͦḱ̤͖e̳͎ ͉̝t̺̣h̜̘i̮͓s̷̞.͐an̗̠d b̘̬i̳͔g.͐ !
|
|
|
|
|
≡
|
2010 Dec 18 at 03:14 UTC
— Ed. 2010 Dec 18 at 03:15 UTC
|
|
|
Rockbomb
Dog fucker (but in a good way now)
2009 Nov 14 • 2045
|
I̓́͆̑͏̛҉̗̩͙̘͔̦̟̤͇͈̖̥̲̀͜ͅ ̤̥̲͎̘͚͉͉͉͐̎̀ͥͨ͌̐̑̈́́̂̂͌̈́̀͠ͅA̸̴̛͓̣̙̮͍̤̖̯̹͉ͪͮ̈́̔ͯ̀ͅG̶̴̞͉̭̗͉̤̗̝̙͕͈̪̪͔̥̔́ͫ͗̽ͤͫ̇̆̏ͣ̎̐ͫ̀͠Ŗ̂ͦ̊̈́ͦ̓̌ͤ̃͊͝҉͉̤͓̞̮͜E̶̷͚̯͓̥̦͉͑̽ͨE̢̛̻͈̬͓̮̹̮͉̞̙̗ͩ̅͒ͨ!͌̃͐ͨͫ̍̃ͤ͒҉̴̡͉̻̦͉͕͓͍͕͎̳͇̪̳͎̣͇̖͕̻͡
|
|
|
|
|
≡
|
2010 Dec 20 at 00:37 UTC
|
|
|
Rockbomb
Dog fucker (but in a good way now)
2009 Nov 14 • 2045
|
By the way, does anyone know how that works? I'm guessing there is some sort of ascii value that allows you to put a character above or below a character, rather than to the right of it, but idk 
|
|
|
|
|
≡
|
2010 Dec 20 at 00:51 UTC
|
|
|
|
Wow, google chrome doesn't display that properly, so I thought it was just a lot of squares and rectangles.
...and that's the bottom line because Mate de Vita said so.
|
|
|
|
|
≡
|
2010 Dec 20 at 10:21 UTC
|
|
|
Rockbomb
Dog fucker (but in a good way now)
2009 Nov 14 • 2045
|
Chrome displays it fine on my end.
|
|
|
|
|
≡
|
2010 Dec 20 at 16:14 UTC
|
|
|
|
Rockbomb said: Chrome displays it fine on my end.
Must be windows xp then.
...and that's the bottom line because Mate de Vita said so.
|
|
|
|
|
≡
|
2010 Dec 20 at 17:53 UTC
|
|
|
Down Rodeo
Cap'n Moth of the Firehouse
2007 Oct 19 • 5486
57,583 ₧
|
I can believe that :p
Is XP ten years old now?
|
|
|
|
|
≡
|
2010 Dec 20 at 18:43 UTC
|
|
|
|
|
Rockbomb
Dog fucker (but in a good way now)
2009 Nov 14 • 2045
|
So.... how do you "stack" these?
|
|
|
|
|
≡
|
2010 Dec 21 at 09:09 UTC
— Ed. 2010 Dec 21 at 09:27 UTC
|
|
|
Down Rodeo
Cap'n Moth of the Firehouse
2007 Oct 19 • 5486
57,583 ₧
|
For the record my phone doesn't like them either.
|
|
|
|
|
≡
|
2010 Dec 21 at 18:17 UTC
|
|
|
Rockbomb
Dog fucker (but in a good way now)
2009 Nov 14 • 2045
|
|
|
|
|
|
≡
|
2010 Dec 21 at 19:56 UTC
— Ed. 2010 Dec 21 at 20:16 UTC
|
|
|
|
|
|
|
|
|
≡
|
2010 Dec 21 at 20:33 UTC
— Ed. 2010 Dec 21 at 20:34 UTC
|
|
|
Rockbomb
Dog fucker (but in a good way now)
2009 Nov 14 • 2045
|
s̅p̅r̅i̅n̅k̅l̅e̅s̅ said: ̅U̅+̅0̅3̅0̅5̅
|
|
|
|
|
≡
|
2010 Dec 21 at 20:34 UTC
— Ed. 2010 Dec 21 at 20:35 UTC
|
|
|
|
|
|
|
|
|
≡
|
2010 Dec 21 at 20:35 UTC
|
|
|
Rockbomb
Dog fucker (but in a good way now)
2009 Nov 14 • 2045
|
sprinkles said: I d͐o͑n͒'͓t g͕e͖t t͗h͘i͙s s͚t͛u͜f͝f͞.
|
|
|
|
|
≡
|
2010 Dec 21 at 20:39 UTC
|
|
|
|
Page [1]
|
