How to clean array before writing in database?

[Papillon]

Hello,

in the model file I get some post data from a form:

Code: Select all

$data = JRequest::get( 'post' );

In the controller.php I get the model and store it to the database:

Code: Select all

$model = $this->getModel( 'form' );
if ($model->store())
        {
            $msg = JText::_( 'Empfehlung gesendet' );
        } else ...

After looking into the database I see that html tags are stripped, but backslashes are still there. Do I  have to do something like "addslashes" to make it secure or is this safe enough?

Thanks for your answers and reading my bad english. I hope that you are understanding what I mean.

Papi

[AmyStephen]

Papi -

I am not able to answer that question, but I want to point out How to make your Joomla! addon more secure, a wiki resource that the core developers put together. I am guessing you will find help in that. If you don't though, let us know. Someone else certainly can help with your question.

Thanks!
Amy

[jlleblanc]

If your model is eventually using the store() function of JTable objects to add data to the database, it should automatically escape your variables with slashes.

[Papillon]

Thank you for your answers!

@Amy:
I like this ressource very much but I think that some of the parts are especially written for Joomla 1.0. The framework of Joomla 1.5 relieves us some of the work, but I don't know exactly which work in my case.

@jlleblanc:
I am using in the model some code from weblinks:

Code: Select all

function store()
    {
        $row =& $this->getTable( );
    
        $data = JRequest::get( 'post' );
        // Bind the form fields to the table
        if (!$row->bind($data)) {
            $this->setError($this->_db->getErrorMsg());
            return false;
        }
    
        // Make sure the record is valid
        if (!$row->check()) {
            $this->setError($this->_db->getErrorMsg());
            return false;
        }
    
        // Store the table to the database
        if (!$row->store()) {
            $this->setError($this->_db->getErrorMsg());
            return false;
        }
    
        return true;
    }

I noticed in weblinks when saving the description the same problem (is it a problem?): html tags are stripped but the special characters are not escaped:
This text

Code: Select all

<strong>This is a path: "../html/joomla/components" and this is a backslash \</strong>

is saved in the database as

Code: Select all

This is a path: "../html/joomla/components" and this is a backslash \

Should'nt it be like this?

Code: Select all

This is a path: \"..\/html\/joomla\/components\" and this is a backslash \\

Thanks for helping me.

Papi

[CirTap]

Hi,

any requirement to strip special characters depend on the context, input source, and output target.
If you'd dump this description text as an argument to an external program (ie. via shell) there could indeed be issues with the slashes if they're not further escaped/quoted, but the content in this case is supposed to be used as a "text node" in an HTML or XML document, hence / and \ can be considered "save characters" for this target medium.

Have fun,
CirTap

[Papillon]

Hello CirTap,

thank you for the answer and the explication. This helps me a lot.

Greetings
Papi

[jlleblanc]

Yeah, you're using JTable, it's escaping them.

When you save the escaped variables to the database, the extra slashes do not appear in them. The SQL string going to the database will contain them, but you won't see them in the final database listing.

To get your HTML to come through, make sure that you pass JREQUEST_ALLOWHTML as your second parameter to get():

Code: Select all

$data = JRequest::get( 'post', JREQUEST_ALLOWHTML);

However, you must make sure that the HTML is from a trusted source (trusted authenticated user, admin, etc...). It is generally not a good idea to accept straight HTML from anonymous sources if the HTML will be redisplayed back on your website (especially with Javascript XSS attacks).

[Papillon]

Thank you for the clarification, Joseph. I don't want to accept Html from the form. I only noticed that html is stripped and the rest isn't escaped.
Hence

Code: Select all

$data = JRequest::get( 'post');

is the right thing to me.

[bascherz]

Papi -

I am not able to answer that question, but I want to point out How to make your Joomla! addon more secure, a wiki resource that the core developers put together. I am guessing you will find help in that. If you don't though, let us know. Someone else certainly can help with your question.

Thanks!
Amy

Whoa! Great information. BUT GUESS WHAT?! When I went to the link in Amy's post I was not logged in and yet I saw "Edit" links all over the page!! I am sure this was unintentional.

EDIT: This occurs with all pages rooted at http://dev.joomla.org/component/option,com_jd-wiki
I am logged into the forum only, not into dev.joomla.org and I am able to see "Edit" links. Is this intentional? If so, we can start adding content from this group NOW! But my guess is that this is an oversight on someone's part.

[Chris Davenport]

Don't panic!!!  The wiki is not wide open.  Although the Edit buttons appear, if you actually try to save any changes, or even preview them, you will get "Permission Denied".

Ian has been looking into changing the access control for the wiki to allow collaborative development of the new template tutorial.  I'd also like to see an area of the dev wiki set aside for this group.  Just give us a bit of time to work through the issues.  We have to be careful as the joomla.org domain is high-volume and is under constant attack by spammers.

Regards,
Chris.

[Rogue4ngel]

That would be outstanding Chris.  With the collective work we have so far in this forum, I can forsee it being quite a work that will be a wonderful resource for our joombies!

Thanks for your efforts on this.