Restrict Characters in TITLE attribute?

[DoubleDee]

I have an "upload_photo.php" script that allows Users to add a "Photo Label" below the Photo they are uploading.

This gets displayed using the TITLE attribute in the IMG tag.

Is there any reason why I would want to restrict what characters can go in the "Photo Label"?

Not sure if this is a possible "Attack Vector" or not?

Thanks,


Debbie

[dklynn]

DD,

Why ask when you already know the answer to that?

Of course you've heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I'd be picker than that but it's a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).

Regards,

DK

[ScallioXTX]

Also, as you already know apply, htmlentities() to the title when echo'ing to prevent XSS.

[DoubleDee]

DD,

Why ask when you already know the answer to that?

If I knew the answers I wouldn't be wasting my time here...

Of course you've heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I'd be picker than that but it's a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).

Regards,

DK

I don't understand what I'm supposed to do with mysqli_real_escape_string....


Debbie

[DoubleDee]

Also, as you already know apply, htmlentities() to the title when echo'ing to prevent XSS.

I have to use htmlentities() for ALT and TITLE attributes?!


Debbie

[ScallioXTX]

I have to use htmlentities() for ALT and TITLE attributes?!


Debbie

Yes. See PM.