Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 months ago.
Improve this question
I am using codeigniter php MVC framework to develop a web application. I have an input textarea that I would like to validate the input on. Basically it is similar to the textarea that I am typing in right now for stackoverflow, minus most (maybe all) of the formatting features that it has. Is there a simple built in way of doing this in codeigniter? If not, what would be the best way to approach this? Basically I want the input filtered and formatted properly both before writing to the database and also for retrieving the text for display on the page. I assume I would need all the basic regex checks and character escaping (like double quotes etc.) as well as sql injection protection. Thanks in advance!
you can use the same SO editor or markdown or a regular WYSIWYG for user's input.
Regarding security or sql injection, look at html purifier. you have a nice comparative here that can help you to see which one is the best for you... remember that more rules to check usually means more overhead
What you're trying to do sounds more like sanitizing your input, not validating. If you use CodeIgniter's ActiveRecord functions, you will be protected from SQL injections. For everything else, you'll have to write on your own code, probably in a function in your model before you send it to the database.
CodeIgniter has its own Form Validation library. See link text.
It "... provides a comprehensive form validation and data prepping class that helps minimize the amount of code you'll write."
Of course, it is server-side validation. You might want to look at jQuery's Validation plugin for your client-side validations. See link text.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 months ago.
Improve this question
I'm trying to offer to the users (will be open to the internet, anyone can register) a WYSYWIG editor where users can input BLADE code to code their pages.
I want to provide them with the ability to create small functions to parse arrays/strings so I saw the #php tag of Blade useful for this.
My question: I can't find anywhere if this is like a sandboxed environment where only certain "safe" functions can be run or if this is more like an eval() and thus allowing people to basically inject PHP code to destroy the server and/or pull sensitive content?
I tried testing running basic commands with blade, but I would like a professional opinion on whether it's a bad idea regarding security (like, know exploits or other performance issues)
Thank you
Having a WYSIWIG open to the public on it's own has it's own challenges, because you will have to look into sanitizing the input/output otherwise you'll be opening yourself up to XSS attacks.
Allowing PHP code as well is obviously going to have lots of security risks, I wouldn't advise it personally - but it is technically possible. There are other online php sandbox editiors available, how exactly they secure themselves is beyond me. There are a lot of clever tricks that can be done, trying to whitelist or blacklist functions you deem as safe/unsafe is probably the way to go - but I still personally wouldn't feel comfortable implementing something like that. You may think you've covered all possible attacks, but it only takes one that bypasses what you've setup to essentially take over your server.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Currently I am working on a contact form(E-mail contact form) for somebodies website.
After some research, I heard that there were ways of securing you're contact form and that got me thinking.
1.Is there an actual big threat if you don't "secure" you're contact form other then spams ? What would be the worse possible scenario ?
2.If I were to follow some guidelines on how to make a contact form that is secure, where would be the best place to start ? (Plugins, tutorials any recommendations would help !)
Thanks guys !
1.Is there an actual big threat if you don't "secure" you're contact form
You need to treat all user input as a potential threat. It's your responsibility to mitigate potential threats according to your exposure.
The severity of a threat can't be generalized: you need to look at the value of your assets, the visibility of the application, and the type of attacker you may encounter (automated/passive or targeted/active).
2.If I were to follow some guidelines on how to make a contact form that is secure, where would be the best place to start ? (Plugins, tutorials any recommendations would help !)
Many application frameworks come with some form security features but you are still responsible for understanding the mechanics. There is no such things as a turn-key security: context is everything.
Security is a deep topic but here are some guidelines:
never trust user supplied data
prefer whitelisting to blacklisting; if you can't whitelist than you really have to understand output escaping
in fact either way you really need to understand output escaping: understanding data in context and escaping output appropriately is essential
understand the http protocol and understand how php abstracts it
Here some good jumping off points:
http://phpsec.org/projects/guide/2.html
http://php.net/manual/en/intro.filter.php
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
https://github.com/padraic/phpsecurity
https://leanpub.com/securingphp-coreconcepts
https://leanpub.com/buildingsecurephpapps
"Security" is an extremely broad topic, but for starters you can secure the data being transferred by buying a (--or generating your own self-signed) SSL certificate. That will encrypt any data sent to your form. Whether or not you need the encryption depends on what kind of info you're asking for. If you're just asking for suggestions you probably don't need it to be too secure, but if you're requesting sensitive info like CC numbers or SSNs it's actually illegal not to have SSL (at least here in the states).
http://www.akadia.com/services/ssh_test_certificate.html
https://www.youtube.com/watch?v=iQsKdtjwtYI
http://franz.com/support/tutorials/ssl-tutorial.htm
http://google.com
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I have a javascript-based rich text editor.
What is the safest way to save the tags it generates?
I'm using MySQL as my database.
I'm not sure if using mysql_real_escape_string($text); is safe.
I can't think of a reason to use htmlentities here. mysql_real_escape_string is vital here because it prevents people from injecting malicious SQL code like ';DROP * FROM table foo;-- into you database. I'd try it without htmlentities, if you find that you need to convert to entities then you could try htmlspecialchars instead which only converts special characters.
If you want to limit the allowed HTML in your form you might also want to look into the strip_tags function.
Relevant documentation:
http://us2.php.net/manual/en/function.htmlentities.php
http://us2.php.net/manual/en/function.htmlspecialchars.php
Good luck
I'd recommend that you use mysqli to interface with the database, that way you don't need to escape data and get a complete protection against SQL injections. You may of course still need to protect against HTML injections.
You do not need to write the string of text to a JavaScript file. If you need it to be handled by JavaScript I suggest that you fetch the data using an XMLHttpRequest (which contrary to what the name suggests does not require your data to be in XML form).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 3 years ago.
Improve this question
Is there any PHP refactoring tool that would transform a huge noodle code to a proper function based one?
No, you can't do that automatized. Static analysis may reformat your code, eliminate bad practices or inform you about security vulnerabilities, but it can't turn your code into nice and clean OOP.
2019+ answer
Nowadays you can use a tool called Rector (I'm author of).
It uses nikic/php-parser, static analysis and node based rules. That means you can e.g. rename every case of function strlen to Nette\Utils\Strings::length().
Or basically anything you want to. Many rules are supported from in the core code (see Rector on Github), e.g. upgrade from PHP 5.2 throughout to 7.4.
But it can be configured to do what you want. It will take some thinking to determine how to detect what should be extracted and what not. If you can put the transformation into words as a human, it's possible to put that into PHP code so it will do everywhere in your code for you.
Zend Studio (for Eclipse) has support for refactoring code - it allows you to select a piece of code and extract functions/methods. For example:
It also allows for renaming of variables to further clean up your code. While this is not a fully automated solution, it will significantly help you clean up the mess. Hope this helps.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
I'm just wondering if anyone knows of a class that exists for handling user comments already. I can always write my own, but I figure I wouldn't re-invent the wheel if there is one out there.
Id like to be able to display a comment form, manipulate/validate/sanitize user input, and possibly more functions such as inserting into a database.
If anyone knows of any classes/packages that already implement this sort of thing, I'd love it if they could share.
Thank you,
Aside from collaborating with a 3rd party ASP-style vendor (like Pluck), I'm not sure you're going to find something like this.
I've seen components to support comments in the ORM (such as Commentable Behavior Plugin for Propel within symfony) but that doesn't give you anything in the way of forms, sanitization, display, user validation, etc.
And then there's the question of features: Do you want flaggable comments? Rich HTML? Emoticons? URL Parsing? Nested comments? Moderation tools? Profanity filtering?
I suppose all of this depends heavily on what type of existing system you're adding this to, as well (can you leverage AJAX? MVC? Postbacks? etc) but really I think it's a fairly broad topic which is why you'll probably just want to roll your own.
Another 3rd party option is www.kickapp.com which seems to be pretty decent.