Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Assuming this is going to be put into HTML content (such as between <code>&lt;body&gt;</code> and <code>&lt;/body&gt;</code> or between <code>&lt;div&gt;</code> and <code>&lt;/div&gt;</code>), you need to encode the 5 special XML characters (&amp;, &lt;, >, ", '), and OWASP recommends including slash (/) as well. The PHP builtin, <a href="http://us.php.net/htmlentities" rel="nofollow noreferrer"><code>htmlentities()</code></a> will do the first part for you, and a simple <a href="http://us.php.net/str_replace" rel="nofollow noreferrer"><code>str_replace()</code></a> can do the slash:</p> <pre><code>function makeHTMLSafe($string) { $string = htmlentities($string, ENT_QUOTES, 'UTF-8'); $string = str_replace('/', '&amp;#x2F;', $string); return $string; } </code></pre> <p>If, however, you're going to be putting the tainted value into an HTML attribute, such as the <code>href=</code> clause of an <code>&lt;a</code>, then you'll need to encode a different set of characters ([space] % * + , - / ; &lt; = > ^ and |)—and you must double-quote your HTML attributes:</p> <pre><code>function makeHTMLAttributeSafe($string) { $scaryCharacters = array(32, 37, 42, 43, 44, 45, 47, 59, 60, 61, 62, 94, 124); $translationTable = array(); foreach ($scaryCharacters as $num) { $hex = str_pad(dechex($num), 2, '0', STR_PAD_LEFT); $translationTable[chr($num)] = '&amp;#x' . $hex . ';'; } $string = strtr($string, $translationTable); return $string; } </code></pre> <p>The final concern is illegal UTF-8 characters—when delivered to some browsers, an ill-formed UTF-8 byte sequence can break out of an HTML entity. To protect against this, simply ensure that all the UTF-8 characters you get are valid:</p> <pre><code>function assertValidUTF8($string) { if (strlen($string) AND !preg_match('/^.{1}/us', $string)) { die; } return $string; } </code></pre> <p>The <code>u</code> modifier on that regular expression makes it a Unicode matching regex. By matching a single chararchter, <code>.</code>, we're assured that the entire string is valid Unicode.</p> <p>Since this is all context-dependent, it's best to do any of this encoding at the latest possible moment—just before presenting output to the user. Being in this practice also makes it easy to see any places you've missed.</p> <p><a href="http://owasp.org" rel="nofollow noreferrer">OWASP</a> provides a great deal of information on their <a href="http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet" rel="nofollow noreferrer">XSS prevention cheat sheet</a>.</p>
    singulars
    1. This table or related slice is empty.
    1. POinput is URL, how to protect it from xss
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USDrew Stephens
    1. USDrew Stephens
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POinput is URL, how to protect it from xss
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COI've never heard about any special precautions to be taken with html attributes, contra text elements. Do you have any reference/explanation for that?
      singulars
      1. PO
      1. UStroelskn
    2. COAh .. To answer my own question, OWASP recommends this because it's needed *if attributes aren't quoted*. I'd recommend quoting attributes instead.
      singulars
      1. PO
      1. UStroelskn
    3. COAs for encoding characters for inclusion in HTML attributes, OWASP says (emphasis mine) "Unquoted attributes can be broken out of with many characters, **including** [space] % * + , - / ; < = > ^ and |.". So just encoding these shouldn't be enough right?
      singulars
      1. PO
      1. USLode
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload