vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   brainfart with $db->escape_string (https://vborg.vbsupport.ru/showthread.php?t=154161)

Antivirus 08-03-2007 03:27 AM
brainfart with $db->escape_string
 
My brain is fried after coding for 12 hours and i'm so tired... I'm using $db->escape_string() on a var after cleaning with the input cleaner class (TYPE_STR). All nasties are escaped as they should be to prevent maliciousness, etc... Problem I am having is when calling the data, it displays as follows:

Quote:
Posted the banner on my myspace profile. Also posted their video on my blog, etc...\r\n\r\nOh yes i did.\r\n\r\nThat\'s what I\'m talking about. "oh yeah" i said
I can get rid of the slashes with stripslashes() however it leaves the rnrn stuff in there...

How can i clean it nicely for display? It's just text so i don't want to parse it wiht the bbcode parser unless i have to.

I also noticed that vb uses (TYPE_NOHTML) to "make safe" the data in profile fields since " becomes &quot (for instance). Is this sufficient for protecting against SQL injection?


Thanks

Adrian Schneider 08-03-2007 04:04 AM
That's what the escaped version looks like... you shouldn't be displaying it, you should be using it in a query. :p

SQL injection and XSS are completely different things. If you use escape_string, then it is safe from injection. If you allow users to enter data that will be displayed, then you have to use TYPE_NOHTML (or the function) when either cleaning it (and inserting into DB) OR when displaying it.

Antivirus 08-03-2007 04:24 AM
Ah! Okie, it's all starting to make sense. I've been working on a rather large modification and everythign works, however I'm just learning how to make everything safe against attacks, etc...

Dismounted 08-03-2007 10:34 AM
\r and \n are line breaks. You should run nl2br() on the string.


All times are GMT. The time now is 09:13 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.00955 seconds
  • Memory Usage 1,713KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (4)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete