| Subject: | There is no HTML escaping in the... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 4 |
|---|
| Author: | Artur Graniszewski |
|---|
| Date: | 2011-03-04 15:25:21 |
|---|
| Update: | 2011-03-06 14:17:52 |
|---|
| |
|
|
Artur Graniszewski rated this package as follows:
| Utility: | Sufficient |
|---|
| Consistency: | Good |
|---|
| Examples: | Sufficient |
|---|
|
|
 Artur Graniszewski - 2011-03-04 15:25:21 There is no HTML escaping in the form inputs, so basically if someone will send plain HTML into the database, he can easily attack your website with XSS injections or just alter your page contents.
There is also no SQL escaping, so there is a potential risk, that someone will send column name as a SQL string and do an SQL injection.
Try to use mysql_real_escape_string() and htmlspecialchars().
What's more there is no simple way to override default english errors to localize it in different language (there is no way to inherit this class and override/use some of it's methods, because they are private, not protected)
 razvan - 2011-03-04 17:34:14 - In reply to message 1 from Artur GraniszewskiHello! Thank you for your comments.
First of all I'm a beginner and I hope to improve my skills quickly that's why a I started posting on PHPClasses.
About the HTML escaping ...
When I started this class I thought a lot about this.
Should I do the escaping in this class?
Should I make another class for that or even use a validating class I found here, on PHPClasses?
I decided I'll use another class for that.
So, if you want to control the data you put in this class to generate the form, you need to use another class for that.
The form is generate with this class and after that you have to use another class to deal with HTML tags, SQL injection or validating the data... etc.
And for the select box / radio buttons generated using a table from the database. I figured, if I use it for my site, I'm not gonna try to do the SQL injection on my own site.
But now, since you've told me, I think I'm gonna secure that part in a few days.
And if you want to modify the "error" part, please send me the code and i'll put it there.
Thanks !
Artur Graniszewski - 2011-03-04 19:01:24 - In reply to message 2 from razvanHi,
just change "private" to "protected". It will allow anyone to inherit your class and override those methods with custom ones (for example with error strings in different languages).
SQL and XSS injection is sometimes seen in funny scenarios. You never know what input has been saved in your database by the user.
Artur Graniszewski - 2011-03-06 14:17:52 - In reply to message 1 from Artur GraniszewskiGood job fixing those issues!
|
