norNerd Posted March 13, 2010 Share Posted March 13, 2010 Hi, if i use strlen(); to check the length of a string, lets say username, and i make it so users cant have more then 8 characters, will that set a little limit for the injection or will the attackers be able to bypass this in some way?And to avoid scripting, can just make it so <script></script> isn't allowed right? norNerd Link to comment Share on other sites More sharing options...
boen_robot Posted March 13, 2010 Share Posted March 13, 2010 It's really wrong to think of security in terms of blacklisting... attackers will always find a way to bypass a blacklist.Instead, you should think of a whitelist. Also, instead of trying to forbid a character or a character combo, allow it in a way that will make it harmless.In the case of SQL injections, this means using mysql_real_escape_string() to escape any data being inputted. In the case of XSS attacks (one involving inserting a script element, as per your second example), the best way to stay secure is to either disallow (X)HTML completely, escaping everything with htmlentities() or htmlspecialchars() instead. Alternatively, (what I'd instead use) create an XML Schema or DTD with only the elements and attributes that you allow (again - a whitelist), and validate any input against that. Option 3 (and what forums and Wikis use) is to create your own pseudo language, ala BBCode or Wiki code, and turn that into predefined pieces of HTML. Link to comment Share on other sites More sharing options...
jeffman Posted March 13, 2010 Share Posted March 13, 2010 Keep in mind that inline script can always be embedded in HTML tags, and that there is no practical limit to its length. And it won't be caught if all you're screening out is a <script> tag. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.