Data validation / xss
Data validation / xss
nskwortsow
Posts: 120Questions: 0Answers: 0
Hi,
Does Editor clean (e.g. mysql_escape(); or intval();) data before executing a SQL query with user-submitted values, to prevent XSS-attacks?
Where can I find this in the documentation?
Thanks,
Nate
Does Editor clean (e.g. mysql_escape(); or intval();) data before executing a SQL query with user-submitted values, to prevent XSS-attacks?
Where can I find this in the documentation?
Thanks,
Nate
This discussion has been closed.
Replies
The PHP implementation that Editor comes with using PDO exclusively for the database connection (the driver architecture means that the old mysql_* functions of PHP or any other non-PDO method could be used, but they are not at this time). `bindValue` is the PDO method used ( http://php.net/manual/en/pdostatement.bindvalue.php ) for ensuring values are added to the database safely (see the 'Query.php' file in the database drivers directory in Editor).
Also Editor very specifically does not simply echo back any values that were sent to the server - a prime vector for scripting attacks.
In summary, I'm not aware of any security issues at this time. Having said that like all software, its virtually impossible to guarantee it is risk free and if any issues are found, we'll fix them as a priority, but we've certainly had security in mind while writing it!
Allan