+ 1
Escaping Harmful characters before storing in database
Is that all the web server does before storing the data inside the database? (I used Python) (it does it in order to avoid an XSS attack)... Sample Input: (sololearn blocks me for typing it here... just use these signs: < and > with "script" in the middle etc..) code: # Global: symbs = {'<': '<', '>': '>', '"': '&dqt', "'": '&qt', '(': '&lbr', ')': '&rbr'} def encode(text): for char in text: text = text.replace(char, symbs.get(char, char)) return text def decode(text): for key, value in symbs.items(): text = text.replace(value, key) return text def main(): text = input('> ') print("Encoded:", encode(text)) print("Decoded Again: ", decode(encode(text))) if __name__ == '__main__': main()
4 Answers
0
You need to escape any semicolons as well. If you're using SQL, a " ; " can be used to end a sql statement, then new code can be added on to it. This is known as a SQL injection attack, which can be harmful to a database in many ways (deletion, extraction of data).
+ 1
More or less, yes, at least for making sure input data doesn't contain malicious code. If it's sensitive password data, of course it would be run through a hash algorithm, but this functions in just the same way. as real_excape_string in php and its analogs in other languages.
As long as your code checks for and removes characters indicative of html, js, or sql code, it can't function as intended, so you'll be safe from these basic attacks.
0
BootInk yeah, I know.. thanks...
But in general, is this code similar to what it is in "the real life"?
0
BootInk Thanks đ