SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Restrict Characters in TITLE attribute?

    I have an "upload_photo.php" script that allows Users to add a "Photo Label" below the Photo they are uploading.

    This gets displayed using the TITLE attribute in the IMG tag.

    Is there any reason why I would want to restrict what characters can go in the "Photo Label"?

    Not sure if this is a possible "Attack Vector" or not?

    Thanks,


    Debbie

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,672
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    DD,

    Why ask when you already know the answer to that?

    Of course you've heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I'd be picker than that but it's a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,096
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Also, as you already know apply, htmlentities() to the title when echo'ing to prevent XSS.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  4. #4
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dklynn View Post
    DD,

    Why ask when you already know the answer to that?
    If I knew the answers I wouldn't be wasting my time here...


    Of course you've heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I'd be picker than that but it's a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).

    Regards,

    DK

    I don't understand what I'm supposed to do with mysqli_real_escape_string....


    Debbie

  5. #5
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    Also, as you already know apply, htmlentities() to the title when echo'ing to prevent XSS.
    I have to use htmlentities() for ALT and TITLE attributes?!


    Debbie

  6. #6
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,096
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    I have to use htmlentities() for ALT and TITLE attributes?!


    Debbie
    Yes. See PM.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •