sanitize

I'm quite confused now and would like to know, if you could clear things up for me. After the lateste Anon/Lulsec attacks, i was questioning my php/mysql security. So, i thought, how could I protect both, PHP and Mysql. Question: Could anyone explain me, what's best practice to handle PHP and Mysql when it comes to quotes? Especially in forms, I would need some kind of htmlspecialchars in order to protect the html, correct? Can PHP be exploitet at all with a form? Is there any kind of protection needed? Should I use real_escape_string just before a query? Would it be wrong/bad to use it

I got a textbox that allows users to put image link (ex: http://abc.test.gif ) & another textbox that allows user to put Alternate text (ex: "This is test.gif"), & a submit button. When a user clicks on submit buton, the program will generate <img src="http://abc.test.gif" alt="This is test.gif"> this string & store it into DB for later use. My question is: do i need to sanitize the imagelink "http://abc.test.gif" & the text in alt tag "This is test.gif" For example, do i need to use UriUtils.isSafeUri("http://abc.test.gif"); & SafeHtmlUtils.fromString("This is test.gif" You are deliberately

We are upgrading from Rails 4.2.5 to 5.0.0.beta1 When testing we expected to see index views rendered with paginated links as before. But we now get an ArgumentError error page, for example: ArgumentError in Transactions#index /app/views/kaminari/_paginator.html.erb where line #10 raised: <%= paginator.render do -%> Generating an URL from non sanitized request parameters is insecure! Application Trace | Framework Trace | Full Trace app/views/kaminari/_paginator.html.erb:10:in block in _app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060' app/views/kaminari/_paginator

I need to create a simple search but I can't afford to use Sphinx. Here's what I wrote: keywords = input.split(/\s+/) queries = [] keywords.each do |keyword| queries << sanitize_sql_for_conditions( "(classifications.species LIKE '%#{keyword}%' OR classifications.family LIKE '%#{keyword}%' OR classifications.trivial_names LIKE '%#{keyword}%' OR place LIKE '%#{keyword}%')") end options[:conditions] = queries.join(' AND ') Now, sanitize_sql_for_conditions does NOT work! It returns simply returns the original string. How can I rewrite this code to escape malicious code? If you replace the "#

I'm working on sanitizing my Html using Jeff Atwood's code found here But the problem I'm running into is when I input Markdown links into the form (they get removed) <http://www.example.com> Here's the code I'm using. private static Regex _tags = new Regex("<[^>]*(>|$)", RegexOptions.Singleline | RegexOptions.ExplicitCapture | RegexOptions.Compiled); private static Regex _whitelist = new Regex(@" ^</?(b(lockquote)?|code|d(d|t|l|el)|em|h(1|2|3)|i|kbd|li|ol|p(re)?|s(ub|up|trong|trike)?|ul)>$| ^<(b|h)r\s?/?>$", RegexOptions.Singleline | RegexOptions.ExplicitCapture | RegexOptions.Compiled |

I was reading last night on preventing SQL injections, and I ran across this answer: How can I prevent SQL injection in PHP? The comments from 'Your Common Sense' made it sound like that was dysfunctional/unsafe. However, in my (albeit limited) testing, I found that php's "bin2hex($var)" worked with anything I threw at it - literal number, number string, string of text - even when matching a numerical (tinyint) column. My question is this: Is there a way to inject SQL when every user input is sanitized via hexing it? In essence, any time a query was made, it would look something like this:

I am currently using this process to Sanitize/Filter comment entered by users -> This one is used to strip slashes... and if (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); } Then the comment goes through this function to sanitize the data... function my_strip_tags($str)