[Catalyst] {OT] protecting against attacks with multilingual input

Steve Atkins steve at blighty.com
Tue Dec 5 13:06:45 GMT 2006


On Dec 5, 2006, at 4:10 AM, Daniel McBrearty wrote:

> How does one do this?
>
> If you have a text input field which can be in *any* language, which
> will get stored in the db, how do you protect against script
> injection?
>
> If it's just english, I normally only accept characters from a given
> list (something like /[A-Za-z0-9]/ , plus whitespace and punctuation).
> But if the input can be in any language .... ??

If you're talking about sql injection then presumably you could do
this exactly the same as you would any other input field - use sql
placeholders in a prepared query rather than blindly pasting
untrusted input as sql.

If you're talking about html ( / javascript / whatever ) when you
redisplay the text back to the user, do you need
to do anything more complex than escape '<' before you display
it, to protect against xss?

Cheers,
   Steve




More information about the Catalyst mailing list