iRev Input Validation Libraries

Ralf Bitter rabit at dimensionB.de
Sat Sep 18 09:08:54 EDT 2010


just to clarify:
active record database queries are escaped automatically by revIgniter,
not by the server engine. Obviously the revIgniter user guide is
capable of being misunderstood here. I will change that.

Regarding XSS attacks:
revIgniter comes with a Cross Site Scripting Hack prevention filter
which can either run automatically to filter all POST and COOKIE data
that is encountered, or you can run it on a per item basis.

Cheers

Ralf


On 18.09.2010, at 09:57, Monte Goulding wrote:

>> I'm thinking this should suffice where the "positive match" is A-z plus 0-9, comma, period and explanation mark... if allowed should suffice, but then I may need to deal with SQL injection  (PostGreSQL) also.  if there is no ";" then nothing can happen. But I know it is more complicated that that.
> 
> 
> According to the revIgniter docs when using the placeholder SQL syntax the db external escapes the variable/array element for you and therefore protects you from SQL injection. I can't find that in the rev docs but I imagine Ralf has investigated.
> 
> Cheers
> 




More information about the use-livecode mailing list