Vulnerability Development mailing list archives
Re: CROSS SITE-SCRIPTING Protection with PHP
From: Valdis.Kletnieks () vt edu
Date: Mon, 14 Oct 2002 14:42:09 -0400
On Mon, 14 Oct 2002 20:27:49 +0200, "Sverre H. Huseby" said:
[Valdis Kletnieks] | Note that this is particularly tricky if (for instance) you're | writing in Perl, which doesn't have an inherent maximum length, | but you're eventually passing it to an Oracle database that has | '37' as the length.. Why is it tricky? If you're somehow able to force the input through substr($input, 0, 37), you have restricted it's length.
Right. The tricky part is getting the '37' into the substr() call. And in the example I gave, your Perl-based CGI *isnt* the cause of the limit, it's a table-size issue possibly on another machine entirely. Or maybe the problem isn't THAT Oracle table, as it's limit is actually 90, but based on some OTHER parameter, there will be an extract done later that will be fed to some back-end batch process that has a limit of 37. So the tricky part is having the back-end process tell the Oracle table that it's limit is 37, so the Oracle database can tell the Perl CGI "size limit of A is 90, unless the value of B is "3" in which case the limit is 37" so it can feed that info to your hypothetical API. (Wanna guess how many times I've seen the left side of 2-up mailing labels bleed over to the right-hand set of labels because of this sort of thing? ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Re: Hashes,File protection,etc, (continued)
- Re: Hashes,File protection,etc Roland Postle (Oct 15)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
- Re: Hashes,File protection,etc Roland Postle (Oct 16)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 16)
- Re: Hashes,File protection,etc Bob Mathews (Oct 16)
- Re: Hashes,File protection,etc Jose Nazario (Oct 15)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
- RE: Hashes,File protection,etc Rich Cower (Oct 15)
- Re: Hashes,File protection,etc Eric Fritzges (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- RE: CROSS SITE-SCRIPTING Protection with PHP Chris Field (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP RoMaNSoFt (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rohan Amin (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP Astalavista.NET Baby! (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 16)
- HTML email and external embedded links. Ian Lyte (Oct 18)