Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,415
    Thanks
    269
    Thanked 32 Times in 31 Posts

    sanitize file_get_contents

    on a internal system, it would be a company inhouse tool so not for the public masses but def an inhouse only tool for management so will only be used by those that have an interest in protecting their own data, they wont sabotage their own stuff im sure lol..

    is there any reason to sanitize file_get_contents, and if so how to do it? Cant use real escape as it totally distorts the file view. It will also be viewed to the screen as well as stored.

    mostly php and html files and some text docs

    I read the docs on file_get_contents and didnt see anywhere they sanitized it, so im going to play around with this a bit and check the view results but i wanted to see what you all thought here as well.
    Last edited by durangod; 09-08-2011 at 02:58 PM.

  • #2
    Regular Coder
    Join Date
    May 2007
    Posts
    104
    Thanks
    19
    Thanked 12 Times in 12 Posts
    Best to make your code secure even if this is for an in-house tool.

    Can you clarify what you would sanitize? The file path? The output?

  • #3
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,415
    Thanks
    269
    Thanked 32 Times in 31 Posts
    hi thanks, it is the actual file content, it is a file revision tool and so the actual contents of the php file will be displayed on the screen as well as saved in the db under revision keys, and also able to use a diff tool on it.

    And that is the issue, with it being the actual file being displayed it really gets funky using the escape, (or specialchars or strip_tags which i didnt plan on using, just testing the output) . I even tried addslashes because of my global settings and its still funky lol

    without any sanitation at all its perfect, right from the db to to the screen. But it would be nice to sanitize it somehow, its just prob not gonna happen ya know.

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,364
    Thanks
    61
    Thanked 530 Times in 517 Posts
    You only really need to sanitize it for insertion into the DB not for displaying on screen.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    durangod (09-08-2011)

  • #5
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,415
    Thanks
    269
    Thanked 32 Times in 31 Posts
    thanks tango and good morning to you. I guess im always worried about some file data getting corrupted somehow and then executing some javascript or something when it executes the display file. And thats why i was saying this is a in house tool and i guess i really could spend my life chasing my own tail ya know. Sometimes i guess you have to put the monkey on their back and just assume they wont corrupted their own data lol


    Thanks for the input tango, i hope you have a great day bud.

  • #6
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,364
    Thanks
    61
    Thanked 530 Times in 517 Posts
    Javascript is a different scenario and for that you may indeed want to strip it out (You could use regular expressions OR search for <script and </script> and delete everything from start to end).

    Morning
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #7
    Regular Coder
    Join Date
    May 2007
    Posts
    104
    Thanks
    19
    Thanked 12 Times in 12 Posts
    If you are displaying the text on a web browser then simply use htmlspecialchars(), there will be no possibility that any Javascript within the text will execute.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •