"Allowed HTML" -- anyone got a quick explanation?

Forum Moderators: phranque

Message Too Old, No Replies

"Allowed HTML" -- anyone got a quick explanation?

Software provider says some HTML opens db to hacking

ypsites

3:14 am on Jun 1, 2005 (gmt 0)

Hi everyone.

I've got a feeling this might be a sort of dumb question (at least for someone who's been online a while), so let me apologize first for that! However, I'm stumped so helping someone can help me out.

I'm using a commercial software pkg to run a new site I'm building. It's based on a mysql db. I'm wanting to include the option to post content featuring % (e.g., "widgets at 25% off"), but the software provider says this is a security risk with the db. They are telling me that they will give me the instructions for how to allow this ... but it's a "do at your own risk" kind of thing.

Could someone give me a quick explanation for the technical issue that causes this symbol to be helpful to hackers if we allow it to be used in the html on our site (and in our db)?

THANKS for even a shove in the right direction. I tried searching WebmasterWorld first but couldn't find anything ... perhaps because I'm not even sure yet how to ask.

YPS

freeflight2

3:33 am on Jun 1, 2005 (gmt 0)

tell them to go to their local bookstore and buy a php/perl book for beginners explaining how to sanitize user input correctly ;)
I don't believe '%' could be a security issue besides in a runaway "select ... like '%'" perhaps.

ypsites

4:01 am on Jun 1, 2005 (gmt 0)

Would it make a difference if the info were being submitted to the db in a form? I probably should have mentioned that in my original post ....

carguy84

8:09 pm on Jun 2, 2005 (gmt 0)

there's always a risk when using a database, but so long as you use some sort of html encoder when posting form data to the DB, you shouldn't have any trouble with characters.

About the only newbie mistake, which I have made many times in the passed, is not watching out for sql injection.

Chip-