|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
andre Smarty Pro
Joined: 23 Apr 2003 Posts: 164 Location: Karlsruhe, Germany
|
Posted: Fri Oct 10, 2003 9:26 am Post subject: |
|
|
For avoiding CSS (cross side scripting) attacks I am using a very dirty trick
(Trick 17 mit Anschleichen ):
The superglobals $_POST, $_GET, $_COOKIE, $_FILE and $_REQUEST can be changed by PHP. So I have a small function checking all of them for suspicious code and strip unwanted (css) tags out.
The developers are disencouraged to use $_POST, $_GET directly. But if they do they still won't make the whole system unsecure too much.
The script itself is stolen from PostNuke (www.postnuke.com) and works quite well. |
|
Back to top |
|
moenm Smarty Rookie
Joined: 24 Jun 2003 Posts: 5
|
|
Back to top |
|
pt2002 Smarty Regular
Joined: 05 May 2003 Posts: 89 Location: Porto, Portugal
|
Posted: Mon May 24, 2004 11:30 am Post subject: |
|
|
Hello
Is it possible to use this function bulk_assign) with plugins like html_select_date, html_select_time, html_options, html_checkboxes ?
TIA
Greetings
pt2002 |
|
Back to top |
|
alexkkk Smarty n00b
Joined: 08 Dec 2007 Posts: 1
|
Posted: Sat Dec 08, 2007 4:06 pm Post subject: small problem with php get and post |
|
|
I am not able to assign or check get and post variables.
Register global is on
post1,message are form variables
if i try to check
if ($post1=="Posted")
$post1 contains "Posted"
But i am not getting this as true
<?
echo post1;
echo $message ;
$sql = mysql_connect($config['mysql_host'], $config['mysql_user'], $config['mysql_pass']);
mysql_select_db($config['mysql_name'], $sql);
if($post1=="Posted")
{
$articleAuthor = ucwords(trim($_SESSION['auth']['username']));
$articleTitle = addslashes(trim($title));
$articleMessageIntro = addslashes(nl2br(trim($messageintro)));
$articleMessage = addslashes(nl2br(trim($message)));
$articlePostDate = date("l, F jS, Y \a\\t h:i:s A");
mysql_query("INSERT INTO news (subject, poster, intro, message, date) VALUES ('{$articleTitle}', '{$articleAuthor}', '{$articleMessageIntro}', '{$articleMessage}', '{$articlePostDate}')");
header('Location: jj);
}
mysql_close($sql);
?> |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|