1

I am interested in allowing users to "share" information on my website, say something similar to a bulletin board concept. This is something I've never done before because I know that it could introduce security issues.

I'll likely be using ColdFusion as my scripting language. I'm also familiar with PHP, but am leaning towards CF because of its built-in RichText control. The database back-end will either be MySql or SQLServer.

And so, my question boils down to this: What are the specific security issues and how do I screen user input for them? Does the method of SQL storage have any barring (say VARCHAR vs BLOB)?

Michael Buckman
  • 140
  • 9
  • HTML doesn't have any special meaning for the database engine. The risk is, of course, whatever you do with it once you retrieve it. – Álvaro González Feb 23 '15 at 17:47
  • Agreed. I'm kind of looking for a heads up on some of the "gotchas" - some of the specific things I should be screening for once a user submits their information to the server. I'll likely be implementing a CAPTCHA system to guard against bots. – Michael Buckman Feb 23 '15 at 18:08
  • Possible duplicate of http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php – Papasmile Feb 23 '15 at 18:50
  • Related reading http://www.smashingmagazine.com/2011/01/11/keeping-web-users-safe-by-sanitizing-input-data/ – Papasmile Feb 23 '15 at 18:51

1 Answers1

0

We actually use a CMS for the primary pages of our site, and the heart of it uses a database vs actual files on the system. So for most of the content on our site, we actually have HTML which is being retrieved from a database.

For example

blurb.body will equal something like '<p>This is a body paragraph</p>'

Then one thing we seem to run into sometimes is a character encoding error. It seems like if someone copies some text into the CMS with a " ' " or something, there isn't anything that will convert it automatically to a '.

But yes, you should be able to do it. Just make sure whatever filtering you do going into the database is reversed correctly on its way out.

cchapman
  • 3,269
  • 10
  • 50
  • 68
  • Do you have any tips on security - like preventing cross-site scripting or other attempts to introduce malicious code when that information is displayed to the end user? – Michael Buckman Feb 23 '15 at 18:51
  • @MichaelBuckman are the webpages full-featured and in need of scripts? If not, deactivate / remove all script-tags. – Alex Feb 23 '15 at 20:14
  • How do you deal with the situation in which someone includes HTML tags in their text (e.g. in the answer immediately above: "

    This is..."? How do you prevent confusion between their intended inclusion of tags in the TEXT of their answer, and your own formatting tags? Do you escape their HTML entities?

     – Soferio Oct 16 '15 at 23:20
  • 1
    My impression is that the 4 core HTML entities always need to be encoded so as to differentiate user-entered tags from the true formatting tags. See e.g. the mandatory encoding in TinyMCE: http://www.tinymce.com/wiki.php/Configuration:entity_encoding. At that location it is said: "...The base entities < > & ' and " will always be entity encoded into their named equivalents. Though ' and " will only be encoded within attribute values and < > will only be encoded within text nodes. This is correct according too the HTML and XML specs...." – Soferio Oct 16 '15 at 23:38