Web Analytics Made Easy - StatCounter sanitize file_get_contents - CodingForum

Announcement

Collapse
No announcement yet.

sanitize file_get_contents

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Resolved sanitize file_get_contents

    on a internal system, it would be a company inhouse tool so not for the public masses but def an inhouse only tool for management so will only be used by those that have an interest in protecting their own data, they wont sabotage their own stuff im sure lol..

    is there any reason to sanitize file_get_contents, and if so how to do it? Cant use real escape as it totally distorts the file view. It will also be viewed to the screen as well as stored.

    mostly php and html files and some text docs

    I read the docs on file_get_contents and didnt see anywhere they sanitized it, so im going to play around with this a bit and check the view results but i wanted to see what you all thought here as well.
    Last edited by durangod; Sep 8, 2011, 09:58 AM.
    I am not crazy, my computer had me checked but its on dialup and im still waiting for results :)
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave
    Tags: None
  • #2
    Best to make your code secure even if this is for an in-house tool.

    Can you clarify what you would sanitize? The file path? The output?

    Comment

    • #3
      hi thanks, it is the actual file content, it is a file revision tool and so the actual contents of the php file will be displayed on the screen as well as saved in the db under revision keys, and also able to use a diff tool on it.

      And that is the issue, with it being the actual file being displayed it really gets funky using the escape, (or specialchars or strip_tags which i didnt plan on using, just testing the output) . I even tried addslashes because of my global settings and its still funky lol

      without any sanitation at all its perfect, right from the db to to the screen. But it would be nice to sanitize it somehow, its just prob not gonna happen ya know.
      I am not crazy, my computer had me checked but its on dialup and im still waiting for results :)
      A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
      durangod is short for durango dave

      Comment

      • #4
        You only really need to sanitize it for insertion into the DB not for displaying on screen.
        "Tango says double quotes with a single ( ' ) quote in the middle"
        '$Name says single quotes with a double ( " ) quote in the middle'
        "Tango says double quotes ( \" ) must escape a double quote"
        '$Name single quotes ( \' ) must escape a single quote'

        Comment

        • #5
          thanks tango and good morning to you. I guess im always worried about some file data getting corrupted somehow and then executing some javascript or something when it executes the display file. And thats why i was saying this is a in house tool and i guess i really could spend my life chasing my own tail ya know. Sometimes i guess you have to put the monkey on their back and just assume they wont corrupted their own data lol


          Thanks for the input tango, i hope you have a great day bud.
          I am not crazy, my computer had me checked but its on dialup and im still waiting for results :)
          A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
          durangod is short for durango dave

          Comment

          • #6
            Javascript is a different scenario and for that you may indeed want to strip it out (You could use regular expressions OR search for <script and </script> and delete everything from start to end).

            Morning
            "Tango says double quotes with a single ( ' ) quote in the middle"
            '$Name says single quotes with a double ( " ) quote in the middle'
            "Tango says double quotes ( \" ) must escape a double quote"
            '$Name single quotes ( \' ) must escape a single quote'

            Comment

            • #7
              If you are displaying the text on a web browser then simply use htmlspecialchars(), there will be no possibility that any Javascript within the text will execute.

              Comment

              Previous template Next
              Working...
              X
              😀
              🥰
              🤢
              😎
              😡
              👍
              👎