|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
eingfoan Smarty n00b
Joined: 08 Feb 2005 Posts: 4
|
Posted: Thu Feb 10, 2005 4:13 pm Post subject: clever preventing from sql injects ... using smartyValidate? |
|
|
hi all,
i am very new to smarty validate....
but some questions came to my mind when starting to use smarty validate ....
one is: is it clever writing a smarty validate plugin for preventing from
cross site scripting and or SQL injection ?
please give me some hints why or why not in my opinion itwould be ok!
thx chris |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Thu Feb 10, 2005 5:01 pm Post subject: |
|
|
Fundamentally, it is a good idea to scrub your form data. Always test that the data you get is restricted to what you expect. If a number is expected, make sure you get a number. Now there are cases where you have freeform elements (such as a text area) where restrictions are not so discreet. SQL injections should not be a problem there, you wouldn't normally be creating SQL queries from freeform text. Cross-site scripting could be a problem there though, and you could restrict certain patterns that resemble things like javascript code with SmartyValidate.
That said, SmartyValidate can help with some basic syntax tests, but the proper place to handle these things is not with SmartyValidate.
For SQL injection, this should be handled at SQL query time. You might use some helper classes to assist you such as SafeSQL. You're query would look like $sql->query("insert into foobar values ( '%s','%s','%s' )", array($foo,$bar,$blah)); and the values would be properly escaped.
For cross-site scripting, this should be handled at display time. So for example, in your template you might use an escape modifier {$myvar|escape} so malicous code won't be interpreted by the browser.
With the above in mind, your data could come from anywhere (maybe not SmartyValidate or even from a form) and you'll still be doing the correct injection tests in your code.
hth |
|
Back to top |
|
eingfoan Smarty n00b
Joined: 08 Feb 2005 Posts: 4
|
Posted: Fri Feb 11, 2005 8:00 am Post subject: THANKS |
|
|
if i understood you in the right way
Quote: |
For cross-site scripting, this should be handled at display time. So for example, in your template you might use an escape modifier {$myvar|escape} so malicous code won't be interpreted by the browser. |
you would for example prefer that all variables that are assigned to smarty itself for displaying are checked by an escaping mechanism so that scripting code would not take effect!
right?
btw: in my prjects sql injection is prevented always in db layer ....
thanks for answeres
chris |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|