Stack Overflow
Stack Overflow

Questions tagged [sanitization]

Data sanitization to prevent code injection

Data santization is used to prevent code injection problems, by secure input and output handling, such as:

  1. Input validation
  2. Selective input inclusion/exclusion
  3. Escaping dangerous characters. For instance, in PHP, using the htmlspecialchars() function (converts HTML tags to their ISO-8859-1 equivalents) and/or strip_tags() function (completely removes HTML tags) for safe output of text in HTML, and mysql_real_escape_string() to isolate data which will be included in an SQL request, to protect against SQL Injection.
  4. Input encoding
  5. Output encoding
  6. Other coding practices which are not prone to code injection vulnerabilities, such as "parameterized SQL queries" (also known as "prepared statements" and sometimes "bound variables" or "bound values").
  7. Modular shell disassociation from kernel
1083 questions
25
votes
4 answers

Strip all non-alphanumeric, spaces and punctuation symbols from a string

How can I use PHP to strip out all characters that are NOT letters, numbers, spaces, or punctuation marks? I've tried the following, but it strips punctuation. preg_replace("/[^a-zA-Z0-9\s]/", "", $str);
Tedd
  • 253
  • 1
  • 3
  • 5
24
votes
0 answers

PHP -Sanitize values of a array

I have a array, which comes from $_POST[] and can have other arrays in it as values, like: array( 'title' => 'Title', 'data' => array( 'hdr' => 'Header' 'bdy' => 'Body' ), 'foo' => array(1, 23, 65), …
Alex
  • 66,732
  • 177
  • 439
  • 641
24
votes
10 answers

Convert string into slug with single-hyphen delimiters only

I would like to sanitize a string in to a URL so this is what I basically need: Everything must be removed except alphanumeric characters and spaces and dashed. Spaces should be converter into dashes. Eg. This, is the URL! must…
Atif
  • 10,623
  • 20
  • 63
  • 96
22
votes
13 answers

What is the correct way to detect whether string inputs contain HTML or not?

When receiving user input on forms I want to detect whether fields like "username" or "address" does not contain markup that has a special meaning in XML (RSS feeds) or (X)HTML (when displayed). So which of these is the correct way to detect whether…
Xeoncross
  • 55,620
  • 80
  • 262
  • 364
22
votes
1 answer

Is there a better way to sanitize input with javascript?

I wanted to write a javascript function to sanitize user input and remove any unwanted and dangerous characters. It must allow only the following characters: Alfanumeric characters (case insentitive): [a-z][0-9]. Inner whitespace, like "word1…
Johann Echavarria
  • 9,695
  • 4
  • 26
  • 32
21
votes
4 answers

Sanitize user defined CSS in PHP

I want to allow users to use their own stylesheets for thei profiles on my forum, but I'm afraid of possible security vulnerabilities. Does anyone have any tips for sanitizing CSS? Basic process: User enters CSS into form -> Save to DB -> Output as…
Gio Borje
  • 20,314
  • 7
  • 36
  • 50
20
votes
2 answers

How do I sanitize invalid UTF-8 in Perl?

My Perl program takes some text from a disk file as input, wraps it in some XML, then outputs it to STDOUT. The input is nominally UTF-8, but sometimes has junk inserted. I need to sanitize the output such that no invalid UTF-8 octets are emitted,…
Adam Thomason
  • 993
  • 1
  • 8
  • 10
20
votes
2 answers

Angular 6 unit testing component with DomSanitizer dependency

In a unit test to just create (instantiate) a component that has a DomSanitizer dependency, how does one mock / stub this dependency? Because DomSanitizer is an Abstract class, I have no idea what the method signature of bypassSecurityTrustHtml…
Michahell
  • 4,905
  • 5
  • 29
  • 45
20
votes
5 answers

Modify input before validation on Laravel 5.1

I'm trying to modify an user submitted input before validation success. I've followed this easy instructions, but when I test it on Laravel 5.1, It's not working. Am I doing something wrong? This is my Request class on…
Paco Orozco
  • 669
  • 1
  • 6
  • 17
20
votes
4 answers

Preventing LDAP injection

I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code. I'd…
mati
  • 5,218
  • 3
  • 32
  • 49
20
votes
2 answers

FILTER_FLAG_STRIP_LOW vs FILTER_FLAG_STRIP_HIGH?

In reference to the filter_var function in PHP 5: I have visited its documentation at: http://php.net/manual/en/filter.filters.sanitize.php, but I still have this question: What are the exact differences? For simpler clarification, please provide an…
Mohammad Naji
  • 5,372
  • 10
  • 54
  • 79
19
votes
3 answers

PHP sanitize user data for use in header() function

Are there any escape routines that need to be done to user data for it to be used inside PHP's header() function? Eg for MySQL I run mysql_real_escape_string() over user data before sending it to the DB and for output in HTML I run…
batfastad
  • 1,943
  • 3
  • 27
  • 37
18
votes
5 answers

function to sanitize input to Mysql database

I am trying to put a general purpose function together that will sanitize input to a Mysql database. So far this is what I have: function sanitize($input){ if(get_magic_quotes_qpc($input)){ $input = trim($input); // get rid of white…
crmepham
  • 4,676
  • 19
  • 80
  • 155
18
votes
6 answers

Forming sanitary shell commands or system calls in Ruby

I'm building a daemon that will help me manage my server(s). Webmin works fine, as does just opening a shell to the server, but I'd prefer to be able to control server operations from a UI I design, and also expose some functionality to end…
arbales
  • 5,466
  • 4
  • 33
  • 40
17
votes
15 answers

find duplicate addresses in database, stop users entering them early?

How do I find duplicate addresses in a database, or better stop people already when filling in the form ? I guess the earlier the better? Is there any good way of abstracting street, postal code etc so that typos and simple attempts to get 2…
Johannes
  • 3,002
  • 4
  • 33
  • 36
1 2
3
72 73