Re^3: Removing malicious HTML entities (now with more questions!)

You should always plan to use it with CGI scripts

The trick to untaint data, as far as I am aware, is to ensure your data is correct . i.e. do data validation. Usually this means using (tight) regexps to ensure the user input doesn't go outside expected bounds.

From what I have read, if you are entering anything into a db then you might want to SQL-escape it too so that people can't hijack your database and delete everything.

HTML::Entites will help display stuff that might otherwise break your web page - what's left that can beak your db?

Comment on Re^3: Removing malicious HTML entities (now with more questions!)

Replies are listed 'Best First'.
Re^4: Removing malicious HTML entities (now with more questions!) by Lawliet (Curate) on Aug 18, 2008 at 02:28 UTC
"If you are entering anything into a db then you might want to SQL-escape* it too so that people can't hijack your database"* By using placeholders, right? I'm so adjective, I verb nouns! chomp; # nom nom nom	[reply]
Re^5: Removing malicious HTML entities (now with more questions!) by LesleyB (Friar) on Aug 18, 2008 at 10:56 UTC
What are placeholders in DBI, and why would I want to use them? doesn't seem to indicate that the fields are escaped in any way ... but they might be. You might want to read this and read the docs on `$dbh->prepare()` and `$dbh->quote()`	[reply] [d/l] [select]
Re^4: Removing malicious HTML entities (now with more questions!) by techcode (Hermit) on Aug 19, 2008 at 21:53 UTC
It can do much more damage than just break your web page... http://en.wikipedia.org/wiki/Cross-site_scripting Preventing XSS And yes - you should always use placeholders in your SQL. Have you tried freelancing? Check out Scriptlance - I work there. For more info about Scriptlance and freelancing in general check out my home node.	[reply]
Re^5: Removing malicious HTML entities (now with more questions!) by LesleyB (Friar) on Aug 20, 2008 at 09:35 UTC
I would always use placeholders simply for the speed increase they offer, but does the use of them imply the placeholder content is, for want of a better phrase, SQL-escaped for the actual DB in use? My scan of the documentation didn't find that information for placeholders but seemed to imply that `$db->quote()` might. I would like to know for sure if placeholders also perform this function.	[reply] [d/l]
Re^6: Removing malicious HTML entities (now with more questions!) by techcode (Hermit) on Aug 27, 2008 at 12:07 UTC
Yes it does wrap '' around them. Which can lead to problems when you say want to call a function such as NOW() - because then you don't want it quoted. Have you tried freelancing? Check out Scriptlance - I work there. For more info about Scriptlance and freelancing in general check out my home node.	[reply]
Re^7: Removing malicious HTML entities (now with more questions!) by graff (Chancellor) on Sep 06, 2008 at 16:36 UTC
Re^8: Removing malicious HTML entities (now with more questions!) by techcode (Hermit) on Sep 08, 2008 at 12:00 UTC