Page Index Toggle Pages: 1
Topic Tools
Normal Topic Injection Prevention (Read 1,643 times)
Typomaniac
YaBB Newcomer
*
Offline



Posts: 8
Injection Prevention
Sep 4th, 2011 at 4:29am
Post Tools
Hi, by the subject line I'm referring to the HTML::Entities pm module. The synopsis for the module at cpan says:

Code (Perl)
Select All
use HTML::Entities ();
 †$decoded = HTML::Entities::decode($a);
 †$encoded = HTML::Entities::encode($a);
 †$encoded = HTML::Entities::encode_numeric($a); 



My question is does $a represent the field it is to affect? I ran it like it is written above and upon submitting the form the html source code reads the characters exactly as input, i.e., and & showed up as an &. Shouldn't it have been something like & ? I'm no real perl wizard but if I can prevent malicious input by simply running a module it would be much easier than making a substitution regex for every special char and repeating the process for each input field, I've been searching for information using the pm but at this point can't understand what they're saying. I guess I'm just trying to find out how to use the module for html/sql injection. Thanx. ~  Smiley
  

Back to top
 
IP Logged
 
Derek Barnstorm
Support Team
YaBB Next Team
Development Team
Beta Testers
****
Offline



Posts: 1,269
Location: United Kingdom

None
Re: Injection Prevention
Reply #1 - Sep 4th, 2011 at 10:41pm
Post Tools
Hi,

Yes, I would assume so. As an example, and in its simplest form you would do something like this:

Code (Perl)
Select All
 † †$your_form_input_enc = "&& View the ' & page source & £ to see the encoded output &";
 † †$your_form_input_dec = "&& And this ' & is the & £ decoded output &";
 † †
 † †use HTML::Entities ();
 † †$decoded = HTML::Entities::decode($your_form_input_dec);
 † †$encoded = HTML::Entities::encode($your_form_input_enc);
 † †$encoded = HTML::Entities::encode_numeric($your_form_input_enc);

 † †print $encoded;
 † †print $decoded; 


« Last Edit: Sep 5th, 2011 at 12:25am by Derek Barnstorm »  
Back to top
 
IP Logged
 
Typomaniac
YaBB Newcomer
*
Offline



Posts: 8
Re: Injection Prevention
Reply #2 - Sep 5th, 2011 at 1:33am
Post Tools
Thanx, I think what my real problem was(other than not understanding the in and out of the module), I was looking for a magic fix to security problems. I think I've found some really good answers now though. btw, I checed the box for being notified of replies to the topic and not getting notification.  Smiley
  

Back to top
 
IP Logged
 
Derek Barnstorm
Support Team
YaBB Next Team
Development Team
Beta Testers
****
Offline



Posts: 1,269
Location: United Kingdom

None
Re: Injection Prevention
Reply #3 - Sep 5th, 2011 at 1:51am
Post Tools
Typomaniac wrote on Sep 5th, 2011 at 1:33am:
btw, I checed the box for being notified of replies to the topic and not getting notification.

Have you got email notification checked in your profile?

User CP => Profile => Options:

Quote:
Post and Board Notifications: If you check this, you will see an additional Popup alert when you visit the Board Index if you have New Board or Post Notifications.
Notify me of new Notifications by eMail?

I'm subscribed to a couple of boards here and get them fine - I did notice the server was playing up again earlier though...
« Last Edit: Sep 5th, 2011 at 1:53am by Derek Barnstorm »  
Back to top
 
IP Logged
 
thomas winter
YaBB Newcomer
*
Offline



Posts: 3
Re: Injection Prevention
Reply #4 - Sep 13th, 2011 at 8:59am
Post Tools
thanks for the explanation Cheesy
  
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools
 
  « Board Index ‹ Board  ^Top