Posted by Michael Fesser on 01/05/07 04:29

..oO(cwdjrxyz)

>I would just add that you must be very careful with server side
>scripting, or you site can get hacked. People will enter just about
>anything into forms including hacker scripts. Limiting the number of
>characters the form will accept will help.

Maybe, but even short scripts can be malicious.

>Also not allowing certain
>tags such as the script tag also will help.

Not necessary. Instead of trying to prevent people from entering special
chars or elements just take into account that there might be such stuff
in the submitted data and react accordingly. When printing out user data
to a page all you need is proper escaping of quotes, < and & chars. In
PHP this can be done with htmlspecialchars(). Then if someone tries to
enter some bad script it will just be printed as plain text.

The same goes for submitting data to a database. If you use prepared
statements, you can let the "bad guys" enter whatever they want without
any troubles.

>This often is done with
>regular expressions.

In many cases that's not the best or even the wrong way. If you search
for suspicious characters or elements in the user data, odds are high
that you'll miss something. For example there are many different ways to
represent quotes or linebreaks. Is your regex prepared to handle all
those variations, different encodings and sometimes even browser quirks?

a\0x00lert("Hello world");

This works in IE.

Micha

[Back to original message]