Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page GPC cleaner.. safe procedure..
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 08-31-2007, 09:09 AM
SDB SDB is offline
 
Join Date: Feb 2004
Posts: 136
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default GPC cleaner.. safe procedure..
Hi

OK, I'm using the input cleaner to protect from sql inserts, etc.

But I'm clearly missing something.

I am using NOHTML to clean a text area input through $_POST.

But if i were to enter an ' in the text area it breaks the SQL, unless I use a $db->escape_string(....) function on it.

Is there a different way I'm supposed to use the cleaner?

Could someone please give me a definitive procedure for cleaning text input prior to entering it into the db?

cheers
Reply With Quote
  #2  
Old 08-31-2007, 09:17 AM
Antivirus's Avatar
Antivirus Antivirus is offline
 
Join Date: Sep 2004
Location: Black Lagoon
Posts: 1,090
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
please post your code
Reply With Quote
  #3  
Old 08-31-2007, 10:25 AM
SDB SDB is offline
 
Join Date: Feb 2004
Posts: 136
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
OK.. eg :

Code:
$vbulletin->input->clean_array_gpc('p', array(
	'firstname' => TYPE_NOHTML,
	'surname' => TYPE_NOHTML
	));

$db->query_write("INSERT into foo (firstname, surname) values ('".$vbulletin->GPC['firstname']."','".$vbulletin->GPC['surname']."');
Reply With Quote
  #4  
Old 08-31-2007, 11:18 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
If you're only inserting to the database, only escape is required ($vbulletin->db->escape_string()), but if you're going to display that data, you will have to use the GPC cleaner (TYPE_NOHTML) as well.
Reply With Quote
  #5  
Old 08-31-2007, 01:13 PM
SDB SDB is offline
 
Join Date: Feb 2004
Posts: 136
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
So are you saying there is no need to clean data that is going to be inserted into the db?

I thought one of the main pureposes of the cleaner was to protect against XSS and malicious db inserts, etc?

(thanks for your replies)
Reply With Quote
  #6  
Old 08-31-2007, 01:26 PM
Opserty Opserty is offline
 
Join Date: Apr 2007
Posts: 4,103
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
You are still cleaning the data with $db->escape_string()... ( to prevent SQL injections )

Like Dismounted said:
Quote:
if you're going to display that data, you will have to use the GPC cleaner (TYPE_NOHTML) as well.
Reply With Quote
  #7  
Old 08-31-2007, 02:23 PM
SDB SDB is offline
 
Join Date: Feb 2004
Posts: 136
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
OK..

I'm with you now, thank you.

If the user enteres some text, and I want to store it in the db, and then later display it..

A safe procedure that will protect me from malicious use of the system is to GPC it for TYPE_NOHTML, and then escape_string it also?

Please confirm.

-

Also, having done this..

If someone enters a ' or a &, by the time I get it back out of the db and back into the text area, it had & type codes rather than the characters. How do I handle these please?

Thanks again, I really appreciate this.

Simon
Reply With Quote
  #8  
Old 08-31-2007, 04:40 PM
Opserty Opserty is offline
 
Join Date: Apr 2007
Posts: 4,103
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by SDB View Post
O
Also, having done this..

If someone enters a ' or a &, by the time I get it back out of the db and back into the text area, it had & type codes rather than the characters. How do I handle these please?

Thanks again, I really appreciate this.

Simon
Well in that case clean it using TYPE_STR and escape it and store it in the db. Then when you come to display it (except in the textarea) use htmlspecialchars_uni() on the text. Or if you want to be fancy you can use vB's BBcode parser :P.
Reply With Quote
  #9  
Old 08-31-2007, 04:50 PM
SDB SDB is offline
 
Join Date: Feb 2004
Posts: 136
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
aah, great. I'll use TYPE_STR

If i use the bbcode parser, and set everything to false, does it do any parsing at all?

I already have the parser instatiated, so it would be nice to use that, but I don't want smilies or basically anything to parsed. I just want to make it safe.

Thanks again

Simon
Reply With Quote
  #10  
Old 08-31-2007, 06:33 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
The input cleaner is not designed to prevent SQL injection - that's what escape_string is for.
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 07:59 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04386 seconds
  • Memory Usage 2,244KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete