+ 1

Escaping Harmful characters before storing in database

Is that all the web server does before storing the data inside the database? (I used Python) (it does it in order to avoid an XSS attack)... Sample Input: (sololearn blocks me for typing it here... just use these signs: < and > with "script" in the middle etc..) code: # Global: symbs = {'<': '&lt', '>': '&gt', '"': '&dqt', "'": '&qt', '(': '&lbr', ')': '&rbr'} def encode(text): for char in text: text = text.replace(char, symbs.get(char, char)) return text def decode(text): for key, value in symbs.items(): text = text.replace(value, key) return text def main(): text = input('> ') print("Encoded:", encode(text)) print("Decoded Again: ", decode(encode(text))) if __name__ == '__main__': main()

python website web-storage xss

20th Jul 2021, 1:23 PM

Yahel

4 Answers

You need to escape any semicolons as well. If you're using SQL, a " ; " can be used to end a sql statement, then new code can be added on to it. This is known as a SQL injection attack, which can be harmful to a database in many ways (deletion, extraction of data).

20th Jul 2021, 3:01 PM

BootInk

+ 1

More or less, yes, at least for making sure input data doesn't contain malicious code. If it's sensitive password data, of course it would be run through a hash algorithm, but this functions in just the same way. as real_excape_string in php and its analogs in other languages. As long as your code checks for and removes characters indicative of html, js, or sql code, it can't function as intended, so you'll be safe from these basic attacks.

20th Jul 2021, 6:32 PM

BootInk

BootInk yeah, I know.. thanks... But in general, is this code similar to what it is in "the real life"?

20th Jul 2021, 3:18 PM

Yahel

BootInk Thanks 👍

20th Jul 2021, 6:35 PM

Yahel