thread: 2006-04-21 : The Marginalia Code
On 2006-04-24, Joshua Kronengold wrote:
Yow. I just had to edit a marginalia post to escape some stuff that was causing the SQL to bomb out—at least apply a regexp to your variables like s/'/'/g, which avoids most of the trivial sql hacking bugs (as well as letting people post things with apostrophes without getting "sql error" on the result side).
This makes mneme go "bah"
that should be s/\'/\\\'/g, of course. Unless this one ends up with the wrong level of escaping too.
This makes mneme go "or..."
have things been fixed such that I can say s/'/\'/g ?
This makes VB go "done, anyway, I'm pretty sure."
At least for your typical levels of escaping. The code's handling single apostrophes again now, at least.
This makes mneme go "*sigh*"
Or even what I meant to say -- s/'/\\'/g. Yours for more obsessive marginalia.
This makes mneme go "yup"
My later commments were more or less recognition of this and testing out the fact that things were being escaped properly. The apostrophes/backslashes showing up above were the exact number I'd typed.
Dunno if you've swhiched over to parametrized queries, but if you have, those don't need escaping, since whatever's in the variable is what gets shovedi nto the db (so HTML escaping is needed to avoid cross-site-scripting issues, but not db escaping).
This makes VB go "HTML ESCAPING! DAMMIT!"
There's more? I hate programming. Hate hate hate. I always have. HATE!
This makes JL go "There's always more..."
Yeah, you'll need an HTML-quoter too. Feed input to HTML-quoter. Feed that to SQL-quoter (or use parameterized queries. For extra paranoia, do SQL quoting and still use parameters). Stick in database.
This makes mneme go "no, that's just wrong"
html excaping should always happen right before you display text -- otherwise, you risk double and tripple escaping the same data, and depending on your dataflow, you still might not catch them all.
I'm not going to do the classic javascript injection test (ie, an alert) because it's obnoxious, but there's html in here that will either be escaped or not.
This makes mneme go "yes..."
html needs to be escaped.
Otherwise, people can steal cookies and all that antisocial crap. (plus they can break later pages by putting a <i&rt; tag in there somewhere.
Sorry, Vincent. I actually enjoy this kind of stuff, but then, I do it for a living.
This makes mneme go "preview would be nice"
I meant <i>, of course.