Jump to content


  • Posts

  • Joined

  • Last visited

tal's Achievements


Newbie (1/7)



  1. tal

    Xss And Html Form

    ok now i see it better so in order for an xss to work my site needs to be compromisedand only then it can talk to other sitesso proper sanitizing should do it, right i am sorry if my question wasn't clear from the start thank youTal
  2. tal

    Xss And Html Form

    thanks but it is the other way aroundi am trying to avoid xss not accomplish itcan xss take the data from a form filled by my user if it is in cookies or if it is filled in real time by the userthank youTal
  3. tal

    Xss And Html Form

    i use php functions - strip_tags and a custom preg_match_all in order to sanitize the user inputwhen a form is not filled correctly i send it back with the data filled by the user and sanitized by me so no html tags will go throware "html data" and "html tags" the same thing ?what i am asking is, is it possible to do a cross site scripting so to grab that data i sanitized and sent back to the user, to continue the form fillingi put the data in a cookie on the users computer, but i don't use java script to handle that dataso is it possible xss the form data ?and thanks for the advise about space between the numbers, it sounds goodthank youTal
  4. hello alli have read a bit about cross site scriptingbut i am still not sure about xss and html form datain my site i use html forms for example,i ask for credit card numberand i am not using java script in these formsonly html and php (and cookies)is it possible to cross site script the data in the form ?(that is also placed in a cookie if needed)thank you for your timeand good answers Tal
  5. if you have access to php.ini look for this line to set your server time zonedate.timezoneor set it on the fly
  6. tal

    Sql Injection

    hello alli am trying to sanitize user input to the level i won't need to worry about sql injection any moreso i am using this function bellow the function takes the $subject (that is the user input)and returns only characters from $pattern (some regex, in example $pattern="/[0-9]+/" for age)with an option to check finale input length so my questions are 1- will this make sure no sql injection pass through ?2- is this an over kill - with preg_match_all ?3- is there an easier way of doing this ?4- presuming i have my regex written correct, will i be able to stop using function like strip_tags, mysql_real_escape_string or any other function name_filter($pattern,$subject) { $text=""; //-----take only allowed characters from subject by pattern----- preg_match_all($pattern,$subject,$matches); foreach ($matches as $val) { foreach ($val as $temp) $text.=$temp; } //-----check for length----- if(func_num_args()==4 && !empty($text)) { mb_internal_encoding("UTF-8"); $min=func_get_arg(2); $max=func_get_arg(3); if(mb_strlen($text)>$max || mb_strlen($text)<$min) $text=""; } return $text; } thank you for your help and time readingeven more than you for thinking about it Tal
  7. tal

    Session Handeling

    thanks for the answer now, i have a nonce i need to work with and i have two options handling itsending a cookie to the clients computeror writing the same date to a session filewhat will be more efficient (less resource consuming) ?what would be more secure (considering i am encrypting the data) ? writing to disk or writing to cookie ?thank you for all the great support Tal
  8. tal

    Session Handeling

    hello alli am using session functions - storing session id as a cookieand storing the actual session data as a plain text file in temp foldernow i have two questions about how to handle sessions 1-when looking from the security point of view (thinking about XSS)is it safe to leave the session id plain text in the cookie, for all to see ?2-is it better from speed and efficiency point of view when querying data from mysql, writing it to session filesfor future use (in that session)instead of querying mysql each time i need that datai would appreciate any kind of helpthank youTal
  9. tal

    Cookie Expiration

    hello allif i set a cookie to expire like sosetcookie ("test","test",0,"/","","true","true");from the clients computer (where the cookie is actually set)is it possible to save it and use it in the future ?can i open the cookie file or browser settings some how and get the cookie not to expire ?thank youTal
  10. thanks for the advise in the right direction Deirdre's DadPHP session probably is the way for me i guess i just love inventing the wheel all over againit is so exciting :)thank youTal
  11. no nothing unusualbut it looks like, i am duplicating the session_start behavior what i want to do, is to prevent some "attacker" from getting a user's login cookie and so bypassing the login page by asking a "private user space" page with out the need to get a login cookie, that is why the session idea came to my mind (there is no data i need to save about the specific user)so will session function by php do that the best ?will it verify that no "old" cookie is presented to the server, to gain access to the "private user space" ?-------------------------------you write "I don't store logins in my own database" how come ?because you dont have a use of it or because there is a better way of doing a "private per user space" ?thank youTal
  12. hello peoplei need some help with session id implementationi have a site were i need to log in users after log in, i identify them by cookies (unique user id only)now i want to add a session id to the cookie, so no saved cookie could be used in the future, or even after the next page request what i want to do goes like this 1- i have a function that gives the session id - lets say adds one each time to the current session id 2- when the user logs in for the first time he gets the session id of 1, and that session id is saved in the database, under the user unique user id 3- when he asks for a new page, his session id (1) is read from the cookie, then checked for a match with the DBif there is a match the function add one to his session id in the DB, gives him a new cookie, and the requested pageif not he is sent back to the log in page and his cookie is deleted4-next time the user logs in he will get the session id from the DB+1so my questions are first am i doing it right ?is there an easier way of creating a session id ?do you have any suggestions for how to session implementation ?Thank you for your attentionTal
  13. tal

    Text Parsing Ie8 Problem

    good it worksso i added $write_text=nl2br($write_text,false);insted of my $write_text = str_replace("\r","\r<br />",$write_text);and took out the cssstyle="white-space:pre-wrap;"so now i am doing a manual "white-space" but it shows in both IE8 and FF3 as i want it to, with line breaks (i am giving multi-spaces a second thought)thank you very much for helping Synook and Deirdre's DadTal
  14. tal

    Text Parsing Ie8 Problem

    i have added </br> to where there was \r beforebut how do i create non-breaking spaces ?here is a discription of what i am doing the user writes in a textarea formthis code gets what he wrote $write_text=$_POST['write_text'];if (strlen($write_text)>0) { str_replace("\r","\r</br>",$write_text); $write_text=$writer_name.": ".$write_text."</br>\r----------------------------</br>"; $im=fopen ($file_name,"a+"); fwrite ($im,"$write_text\r"); } and this is how i display it - reading it from the file <div style="white-space:pre-wrap;"><?php echo $file ?></div> now the problem remains in the display of what the user wrote while looking at it in IE8if he writes two lines of text, it will show as one even when i do str_replace("\r",'\r</br>',$write_text);the </br> tags are not writen to the filewhen i look at the source code both IE8 and FF3 from the browser (right click) options i do see the </br> tags i added, they are in their place but it doesn't show when i look at the page
  15. hello i have a problem with text parsing when i write this html+css code in a html file it works finebut when i write it in a php file i see a different result the two lines become one and without multi white spaces but only in IE8 (in FF3 it works fine)also when i look at the source code from the browser (right click options)i see the text parsed as it should be (with line breaks and multi spaces)please help me understand what is going on replace the ------------ with spaces as this form cuts them out <div style="white-space:pre-wrap;">first line of wordsnext line-------------------and some more after many spaces</div>
  • Create New...