PHP Classes

There is no HTML escaping in the form inputs, so basically if...

Recommend this page to a friend!

      Build Form Class  >  All threads  >  There is no HTML escaping in the...  >  (Un) Subscribe thread alerts  
Subject:There is no HTML escaping in the...
Summary:Package rating comment
Messages:4
Author:Artur Graniszewski
Date:2011-03-04 15:25:21
Update:2011-03-06 14:17:52
 

Artur Graniszewski rated this package as follows:

Utility: Sufficient
Consistency: Good
Examples: Sufficient

  1. There is no HTML escaping in the...   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2011-03-04 15:25:21
There is no HTML escaping in the form inputs, so basically if someone will send plain HTML into the database, he can easily attack your website with XSS injections or just alter your page contents.

There is also no SQL escaping, so there is a potential risk, that someone will send column name as a SQL string and do an SQL injection.

Try to use mysql_real_escape_string() and htmlspecialchars().

What's more there is no simple way to override default english errors to localize it in different language (there is no way to inherit this class and override/use some of it's methods, because they are private, not protected)

  2. Re: There is no HTML escaping in the...   Reply   Report abuse  
Picture of razvan razvan - 2011-03-04 17:34:14 - In reply to message 1 from Artur Graniszewski
Hello! Thank you for your comments.
First of all I'm a beginner and I hope to improve my skills quickly that's why a I started posting on PHPClasses.

About the HTML escaping ...
When I started this class I thought a lot about this.
Should I do the escaping in this class?
Should I make another class for that or even use a validating class I found here, on PHPClasses?

I decided I'll use another class for that.

So, if you want to control the data you put in this class to generate the form, you need to use another class for that.

The form is generate with this class and after that you have to use another class to deal with HTML tags, SQL injection or validating the data... etc.

And for the select box / radio buttons generated using a table from the database. I figured, if I use it for my site, I'm not gonna try to do the SQL injection on my own site.
But now, since you've told me, I think I'm gonna secure that part in a few days.

And if you want to modify the "error" part, please send me the code and i'll put it there.

Thanks !





  3. Re: There is no HTML escaping in the...   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2011-03-04 19:01:24 - In reply to message 2 from razvan
Hi,

just change "private" to "protected". It will allow anyone to inherit your class and override those methods with custom ones (for example with error strings in different languages).

SQL and XSS injection is sometimes seen in funny scenarios. You never know what input has been saved in your database by the user.

  4. Re: There is no HTML escaping in the...   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2011-03-06 14:17:52 - In reply to message 1 from Artur Graniszewski
Good job fixing those issues!