[Israel.pm] RegEx in HTML Character

Sagiv Barhoom sagivba at 012.net.il
Tue Jan 29 09:43:42 PST 2008


Hi
AFAIK sql injections can be prevented in most of the cases using bind 
varibles. I said "in most of the cases" since sql injection is based on 
dynamic sql code. such code can bee genereted both by appending strings yo an 
sql string :q{select name from users_tbl where  id='$ID'} 
in this case the injction is trivial $ID=q{' or 1=1}
but but sql injection in other places such as using ref cursors  or execute 
imidiate on oracle packages.

about XSS prevention - one affective way to prevent xss attach is to encode 
the outputbefore desplaying it in the browser. for example tou might want to:

use HTML::Entities; # and then to
print "user name is : ", HTML::Entities::encode($user_name_form_the_DB);

Blue Skies Clear Air Sagiv


On יום שני 28/1/2008, Georges EL OJAIMI wrote:
> Hello,
>
> I am customizing my own RTE and trying to reduce it to only 4 few elements,
> in order to prevent HTML characters and SQL injection into the database, I
> modified the tags like the following:
>
> [b]bold[/b]
>
> [i]italic[/i]
>
> [u]underline[/u]
>
> [url=http://www.url.com]url[/url]
>
> I want to replace each tag on the fly by its real HTML tag while displaying
> it to the end user.
>
> Is there a way to replace all these tags by there equivalents? I am having
> problem detecting the brackets []
>
> Best regards,
> Georges
>
> _______________________________________________
> Perl mailing list
> Perl at perl.org.il
> http://perl.org.il/mailman/listinfo/perl



-- 
שמיים כחולים אוויר צח
שגיב



More information about the Perl mailing list