Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

clever preventing from sql injects ... using smartyValidate?

 
Post new topic   Reply to topic    Smarty Forum Index -> Add-ons
View previous topic :: View next topic  
Author Message
eingfoan
Smarty n00b


Joined: 08 Feb 2005
Posts: 4

PostPosted: Thu Feb 10, 2005 4:13 pm    Post subject: clever preventing from sql injects ... using smartyValidate? Reply with quote

hi all,

i am very new to smarty validate....
but some questions came to my mind when starting to use smarty validate ....

one is: is it clever writing a smarty validate plugin for preventing from
Evil or Very Mad cross site scripting and or Evil or Very Mad SQL injection ?

please give me some hints why or why not in my opinion itwould be ok!

thx chris
Back to top
View user's profile Send private message MSN Messenger
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7367
Location: Lincoln Nebraska, USA

PostPosted: Thu Feb 10, 2005 5:01 pm    Post subject: Reply with quote

Fundamentally, it is a good idea to scrub your form data. Always test that the data you get is restricted to what you expect. If a number is expected, make sure you get a number. Now there are cases where you have freeform elements (such as a text area) where restrictions are not so discreet. SQL injections should not be a problem there, you wouldn't normally be creating SQL queries from freeform text. Cross-site scripting could be a problem there though, and you could restrict certain patterns that resemble things like javascript code with SmartyValidate.

That said, SmartyValidate can help with some basic syntax tests, but the proper place to handle these things is not with SmartyValidate.

For SQL injection, this should be handled at SQL query time. You might use some helper classes to assist you such as SafeSQL. You're query would look like $sql->query("insert into foobar values ( '%s','%s','%s' )", array($foo,$bar,$blah)); and the values would be properly escaped.

For cross-site scripting, this should be handled at display time. So for example, in your template you might use an escape modifier {$myvar|escape} so malicous code won't be interpreted by the browser.

With the above in mind, your data could come from anywhere (maybe not SmartyValidate or even from a form) and you'll still be doing the correct injection tests in your code.

hth
Back to top
View user's profile Send private message Visit poster's website
eingfoan
Smarty n00b


Joined: 08 Feb 2005
Posts: 4

PostPosted: Fri Feb 11, 2005 8:00 am    Post subject: THANKS Reply with quote

if i understood you in the right way

Quote:

For cross-site scripting, this should be handled at display time. So for example, in your template you might use an escape modifier {$myvar|escape} so malicous code won't be interpreted by the browser.


you would for example prefer that all variables that are assigned to smarty itself for displaying are checked by an escaping mechanism so that scripting code would not take effect!

right?

btw: in my prjects sql injection is prevented always in db layer ....

thanks for answeres
chris
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Add-ons All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP