vb.org Archive
Page 3 of 4 12 3 4
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Programming Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=188)
-   -   Create Secure Mods (https://vborg.vbsupport.ru/showthread.php?t=154411)

Antivirus 08-11-2007 11:59 PM
Quote:
Originally Posted by EnIgMa1234 (Post 1315558)
Why is it neccessary to clean admincp code?
It's just good coding practice to do so. Say for instance you have a moderator or someone whom you allow access to the admin CP (a business partner for instance) and you have a falling out - he/she then injects something nasty theough the AdminCP and BOOM!


Sir Adrian,
ok, i'm learning this, thanks. So after escaping it, if I want to display it in a <textarea> type input box for user to edit it, it's showing as follows:

Quote:
Posted the banner on my myspace profile. Also posted their video on my blog, etc... \r\n\r\nOh yes i did.\r\n\r\nThat\'s what I am talking about. &quot;oh yeah&quot; i said
Which is safe, however for display in the textarea, i want it to display as entered which was like this:

Quote:
Posted the banner on my myspace profile. Also posted their video on my blog, etc...

Oh yes i did.

That's what I am talking about. "oh yeah" i said
When I display it, I can qet the &quot; to parse correctly, but all the /n/r/n/r i can't get to display correctly. Can you help? Thanks :)

Adrian Schneider 08-12-2007 12:39 AM
Why are you displaying it after escaping it? It goes into the query escaped, and when you read from the DB again it should be OK.

Antivirus 08-12-2007 12:41 AM
It goes into query escaped before being put into database. Then if user wants to edit the text, it's displayed again, within the <textarea> box for them to modify.

I'd be fine if the initial cleaning of the data totally stripped out all the /n/r/n/r stuff as well since i have no need for them to post data on new lines. Am i missing something or do i need to create a regex before passing data to the update or save query?

Adrian Schneider 08-12-2007 12:58 AM
Only escape just before using it in a query. That's all it is for. You should never display it after it has been escaped; that doesn't make sense!

Antivirus 08-12-2007 01:00 AM
Thanks for your help on this issue SirAdrian.
So you're telling me that somewhere I am escaping it before displaying it in the <textarea> box?

Adrian Schneider 08-12-2007 01:01 AM
Yeah you must be. Post your code here (or make a new thread in programming / coders discussion and I will take a look).

Antivirus 08-12-2007 01:11 AM
ok will post it in programming discussions - thanks

Kirk Y 08-24-2007 04:15 AM
Excellent article SirAdrian, was a great read. :)

Guest190829 08-24-2007 04:46 AM
Quote:
Originally Posted by Kirk Y (Post 1324567)
Excellent article SirAdrian, was a great read. :)
Definitely. Thank you for taking the time to write this article, Adrian. :up:

Floris 09-02-2007 10:28 AM
Nice article, thanks for taking the time to write this out.


All times are GMT. The time now is 12:32 PM.
Page 3 of 4 12 3 4
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01654 seconds
  • Memory Usage 1,733KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete