SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Evangelist
    Join Date
    Jun 2010
    Posts
    446
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    simulated attack

    I am simulating an attack and I can't figure out why htmlspecialchars() is causing a parse error as in:

    PHP Code:
    $char htmlspecialchars("while (1) alert ("Gotcha!");",ENT_COMPAT); 

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,823
    Mentioned
    142 Post(s)
    Tagged
    0 Thread(s)
    You need to escape your quotes around Gotcha!, like so
    PHP Code:
    $char htmlspecialchars("while (1) alert (\"Gotcha!\");",ENT_COMPAT); 

  3. #3
    SitePoint Evangelist
    Join Date
    Jun 2010
    Posts
    446
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks cpradio, but I was experimenting with different character combinations the a user might use accidentally or on purpose.

    I've never looked specifically at how dbl quotes work there way through php as a form input or a hack. I just assumed they'd be processed. I know I should've known better. They don't work for me without escaping. Obviously they won't work for a user for the same reason.

    I did discover that unescaped dbl and single quotes as a form input results in no data being placed in a table. I didn't know that explicitly.

    I suppose that counts a problem solved even though it wasn't ever a problem. I'll just count the last hour to towards my 10,000. Am I there yet? lol

  4. #4
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,823
    Mentioned
    142 Post(s)
    Tagged
    0 Thread(s)
    If you don't mind me asking, what are you stimulating an attack against? Your database?

  5. #5
    SitePoint Evangelist
    Join Date
    Jun 2010
    Posts
    446
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Yea. Nothing too rigorous or even necessarily functional. I'm just double checking what I know for a feel and what I know for a fact and deciding which characters I'll allow to be inputed. By nature I way too trusting and don't get or want to get the whole evil genius thing, but I know they're out there.

    I suppose I'm just trying to keep the self inflicted wounds to a minimum (second time same on me).

  6. #6
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,823
    Mentioned
    142 Post(s)
    Tagged
    0 Thread(s)
    If you post your query execution, there are several people here who can help you secure it (if it needs it). For example, if you are using PHP, you can utilize PDO to ensure you are not susceptible to sql injection attacks

  7. #7
    SitePoint Evangelist
    Join Date
    Jun 2010
    Posts
    446
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks I do that when I'm ready. Do I post it in the php forum?

  8. #8
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,823
    Mentioned
    142 Post(s)
    Tagged
    0 Thread(s)
    Yes, if your code is PHP, put it there. We won't need to see any connection details, just the code you are using that queries your database.

  9. #9
    SitePoint Evangelist
    Join Date
    Jun 2010
    Posts
    446
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks again!

    Niche


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •