Sanitizing SQL in Rails where conditions may be NULL
sql,ruby-on-rails,activerecord,sanitization
It looks like the error is being thrown in the reset_table_name method at https://github.com/rails/rails/blob/7bb620869725ad6de603f6a5393ee17df13aa96c/activerecord/lib/active_record/model_schema.rb#L160 so maybe this method is not designed to work on the ActiveRecord::Base class. Assuming you have got a model class for Folder this should work: Folder.send(:sanitize_sql_hash, {user_id: current_user.id, parent_id: params[:parent_id]}) In a quick test I got...
Laravel HTML and SQL sanitisation
php,html,sql,laravel,sanitization
SQL sanitisation is handled automatically. From the docs: Note: The Laravel query builder uses PDO parameter binding throughout to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings. Blade templates automatically escape variables when using curly brackets, e.g. {{ $var }}....
angular-translate sanitisation fails with UTF characters
javascript,angularjs,sanitization,angular-translate
At the moment, you have two options: Use the strategy sanitizeParameters which will only sanitize the dynamic parameters, but not the actual translation (template). If you have the translation under control (but not the dynamic values), this will work. Use the strategy escape (or escapeParameters) which does not use sanitization...
Sanitize and Highlight Text with HTML at the same time
Sanitize both your data AND the query. Then the sanitized query will still be found in the sanitized HTML data. function sanitize_and_highlight_search_result($data, $query){ $sanitized = sanitize($data); $query = sanitize($query); return str_replace( $query, '<span class="highlight">' . $query . '</span>', $sanitized ); } Example: http://3v4l.org/R9n9U...
How to validate and sanitize array of data in php?
php,arrays,validation,sanitization
You can use foreach to loop through all values of an array. In the loop you can push your filtered values to a new array $subCategory (e.g.). E.g.: $subCategory = $_POST['subCategory']; $subcategories = array(); if (!empty( $subCategory ) && is_array( $subCategory ) ) { foreach( $subCategory as $key => $value...
Should I implement user data sanitization/validation as middleware?
php,validation,middleware,slim,sanitization
Using global middleware doesn't make sense as you end up coupling every endpoint's parameter list together. The two options I would consider are: Implement as route middleware so that you can have different filtering/validation for each endpoint. e.g. function fooFilter() { // filter/validate GET variables here and set back into...
Is there a better way to sanitize input with javascript?
javascript,regex,string,xpages,sanitization
The new version of the sanitizeString function: function sanitizeString(str){ str = str.replace(/[^a-z0-9áéíóúñü \.,_-]/gim,""); return str.trim(); } The main problem was mentioned by @RobG and @Derek: (@RobG write your comment as an answer and I will accept it) \s doesn't mean what now w3Schools says Find a whitespace character It means...
Sanitizing a Vaadin RichTextArea
java,javascript,security,vaadin,sanitization
As you are not able or willing to use other libraries then Java or from Vaadin, the easiest one to use is JSoup, which comes with Vaadin 7 (vaadin-server depends on it). E.g: Jsoup.clean(richTextArea.value, Whitelist.simpleText()) See Jsoup.clean and Whitelist...
Is this a good Sanitization function?
My question is, is this the best way of using this sanitization function? This is a good way to perform sanitization. All sanitization methods will improve over time. Is there a better way of going about this? If it is a web application that is providing you user input,...
Effective protection function against SQL injection
php,mysql,sql,sql-injection,sanitization
The short answer is that it's not safe at all. Here's what's wrong with it... You're checking get_magic_quotes_gpc, which has been removed from PHP for years You're using htmlentities to encode the string if magic quotes is on, but not if it's off (way to corrupt your data) Why are...
Can an SQL injection be made with a single word in a SELECT statement?
php,mysqli,sql-injection,sanitization
You can still exploit this using hex coding: stripping spaces is not enough. I guess this is a somewhat interesting place to start. But consider that preg_match()es are pretty bad for performance on high traffic sites. Prepared statements and parameterized queries are always the best way to prevent SQL injections....
Data validation / Sanitization callback function
By default, the Customizer does not handle validation and sanitization of the user input values. It is therefore essential to sanitize these values before saving them to the database. The add_setting() method of the WP_Customizer object accepts an 'sanitize_callback' argument, that can be used to specify a sanitization callback. So,...
How to sanitize form values to allow text-only
coldfusion,sanitization,coldfusion-11,antisamy
While you could use AntiSamy to do it, I don't know how sensible that would be. Kinda defeats the purpose of it's flexibility, I think. I'd be curious about the overhead, even if minimal, to running that as a filter over just a regex. Personally I'd probably opt for the...
Is it safe to unescape ampersand for user input?
php,html,html-entities,sanitization
If your entities are displayed as text, then you're probably calling htmlspecialchars() twice. If you are not calling htmlspecialchars() twice explicitly, then it's probably a browser-side auto-escaping that may occur if the page containing the form is using an obsolete single-byte encoding like Windows-1252. Such automatic escaping is the only...
Mass PHP variables form sanitation
php,forms,for-loop,sanitization
If you need each variable name separate (not in an array) like in your example: foreach($_POST as $key => $val) { $$key = test_input($val); } ...
Is .text() safe or not to sanitize data? [JQuery]
From jQuery .text() article: We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode(), does not interpret the string as HTML. This means that the data gets stored to...
Separating array values into multiple arguments
php,arrays,function,arguments,sanitization
Use the ReflectionMethod class ... $bindParamReflection = new \ReflectionMethod($expr, 'bind_param'); $args = $values; array_unshift($args, $type); $bindParamReflection->invokeArgs($expr, $args); ... ...
Should i sanitize $_POST data if used in if statement?
php,post,sanitization,sanitize
The short answer is no; for an if statement, your code is safe. However, if you edit the code later, you should use prepared statements in you database queries....
PHP combine parse_str with trim or any other sanitize filter
Try this instead: parse_str($_REQUEST['data'], $v); $v = array_map('trim', $v); If you want to trim whitespace from each element in the query string, first convert your query string to an array with parse_str(), then trim() each resulting element of that array. EDIT Based on one of your comments above, you may...
How can I catch ngSantitize errors and display the html as escaped text
html,angularjs,sanitization,html-sanitizing
I ended up creating a directive to do this. Here is how it is used. <div ng-bind-html-if-safe="SomeHtml"></div> The source for the Directive can be found here....
Sanitizing url and parameters
validation,security,sanitization
As you are appending params_str_submitted_by_user to the base URL after the ? delimiter, you are safe from this type of attack used where the context of the domain is changed to a username or password: Say URL was http://example.com and params_str_submitted_by_user was @evil.com and you did not have the /...
When to validate/sanitize the arguments of an overridden method?
php,validation,oop,sanitization,method-overriding
I normally use as general guide line: If the base function is called in the overridden function as first statement, the verification is done already in the overridden function. In some cases additional verifications need to be added in the overridden function. Unless the base function changes the variables used...
safest way to take user input, put it on database, and the output it using php [closed]
php,codeigniter,xss,sanitization,input-sanitization
What did you expect from CI XSS filtering that you think it is not working properly? To answer your questions, follow all these steps: Validate user input data first (and before doing anything with it) instead of filtering and correcting it, do this using CodeIgniter Form Validation Class Guide Link:...
What does FILTER_SANITIZE_STRING do?
According to PHP Manual: Strip tags, optionally strip or encode special characters. According to W3Schools: The FILTER_SANITIZE_STRING filter strips or encodes unwanted characters. This filter removes data that is potentially harmful for your application. It is used to strip tags and remove or encode unwanted characters. Now, that doesn't tell...
Sanitizing a Date
php,sanitization,input-sanitization
If your date is like "03/02/2014" then you can simply clean your variable by regexp: $date = preg_replace("([^0-9/])", "", $_POST['date']); This allows only digits (0-9) and fwd slash (/)....
Sanitising a JSON String value in Java
java,json,escaping,sanitization,org.json
You seem to be quoting this part of the Javadoc Strings may be quoted with ' (single quote). which is preceded by The texts produced by the toString methods strictly conform to the JSON syntax rules. The constructors are more forgiving in the texts they will accept: JSON strings are...
CI - Sanitizing the form inputs from quotes
php,forms,codeigniter,sanitization,codeigniter-form-helper
I am not super sure about the issue you were having but editing the system file to fix it is not a great idea. You should never change anything in the system folder, the proper way to make your change would be to extend the form helper by creating the...
Putting unsanitized data in header() function
php,security,header,sanitization
URL parameters are not executed, so you're not opening yourself up to attack. However, failing to encode the data may cause the parameter to be interpreted incorrectly. You should use urlencode(): $foo = urlencode($foo); header("Location: /bar.php?foo=$foo"); ...
Sanitizing sqlite statements
android,sqlite,escaping,sanitization
The most dangerous part of SQLite is the load_extension function, but it's disabled by default (and on Android, you cannot enable it even if you wanted to). With the ATTACH DATABASE statement, it is possible to open any other database file that the process can access (which, on Android, is...
Is it safe to use the django safe filter in text only emails?
python,django,django-templates,sanitization
Yes. As long as you are enforcing that the email is sent as text, then any HTML (or other unsafe content) should not be rendered by email clients, but instead the source will just be shown as text....
How to sanitize X-Editable value *before* editing?
javascript,twitter-bootstrap,sanitization,x-editable
See the plunker http://plnkr.co/edit/Vu78gRmlKzxrAGwCFy0b. From X-editable documentation it is evident you can use value property of configuration to format the value you want to send to the editor as shown below. Element displaying money value in your HTML: <a href="#" id="money">12.000.000,00</a> Javascript code in your HTML: <script type="text/javascript"> $(document).ready(function() {...