Hi

OK, I'm using the input cleaner to protect from sql inserts, etc.

But I'm clearly missing something.

I am using NOHTML to clean a text area input through $_POST.

But if i were to enter an ' in the text area it breaks the SQL, unless I use a $db->escape_string(....) function on it.

Is there a different way I'm supposed to use the cleaner?

Could someone please give me a definitive procedure for cleaning text input prior to entering it into the db?

cheers

please post your code

OK.. eg :



$vbulletin->input->clean_array_gpc('p', array(
'firstname' => TYPE_NOHTML,
'surname' => TYPE_NOHTML
));

$db->query_write("INSERT into foo (firstname, surname) values ('".$vbulletin->GPC['firstname']."','".$vbulletin->GPC['surname']."');

If you're only inserting to the database, only escape is required ($vbulletin->db->escape_string()), but if you're going to display that data, you will have to use the GPC cleaner (TYPE_NOHTML) as well.

So are you saying there is no need to clean data that is going to be inserted into the db?

I thought one of the main pureposes of the cleaner was to protect against XSS and malicious db inserts, etc?

(thanks for your replies)

You are still cleaning the data with $db->escape_string()... ( to prevent SQL injections )

Like Dismounted said:

if you're going to display that data, you will have to use the GPC cleaner (TYPE_NOHTML) as well.

OK..

I'm with you now, thank you.

If the user enteres some text, and I want to store it in the db, and then later display it..

A safe procedure that will protect me from malicious use of the system is to GPC it for TYPE_NOHTML, and then escape_string it also?

Please confirm.

-

Also, having done this..

If someone enters a ' or a &, by the time I get it back out of the db and back into the text area, it had & type codes rather than the characters. How do I handle these please?

Thanks again, I really appreciate this.

Simon

O
Also, having done this..

If someone enters a ' or a &, by the time I get it back out of the db and back into the text area, it had & type codes rather than the characters. How do I handle these please?

Thanks again, I really appreciate this.

Simon

Well in that case clean it using TYPE_STR and escape it and store it in the db. Then when you come to display it (except in the textarea) use htmlspecialchars_uni() on the text. Or if you want to be fancy you can use vB's BBcode parser :P.

aah, great. I'll use TYPE_STR

If i use the bbcode parser, and set everything to false, does it do any parsing at all?

I already have the parser instatiated, so it would be nice to use that, but I don't want smilies or basically anything to parsed. I just want to make it safe.

Thanks again

Simon

The input cleaner is not designed to prevent SQL injection - that's what escape_string is for.

<a href="http://members.vbulletin.com/api/vBulletin/vB_BbCodeParser.html#do_parse" target="_blank">http://members.vbulletin.com/api/vBu....html#do_parse</a>

So yeah in your case just set them all to false (if they aren't by default)

Thanks for clarifying Paul.

I had this way of thinking because of this article :
https://vborg.vbsupport.ru/showthread.php?t=119372

which states :

With XSS (Cross-Site Scripting) and SQL exploits being identified in scripts on a daily basis, you should do everything you can to ensure that all data coming from the user has been cleaned ("sanatized").

vBulletin provides us with the vB_Input_Cleaner class to do just this.

-

Opserty

Many thanks for your patience. You've really cleared this up for me.

Thanks also Dismounted.

Simon

You may want to read the article in my signature - it goes into a bit more detail about the vulnerabilities and how to prevent them.

SirAdrian

Thank you very much indeed, that article makes it much clearer.

Simon