cleaning/sanitizing xpath attributes


i need boldly make an xpath query an component attribute, where charge value presumption user. i'm capricious cleaning sanitizing value hinder xpath homogeneous sql injection attack. instance (in php):



<?php
function xpathquery($attr) {
    $xml = simplexml_load_file('example.xml');
    relapse $xml->xpath("//myelement[@content='{$attr}']");
}

xpathquery('this should work fine');
# //myelement[@content='this should work fine']

xpathquery('as should "this"');
# //myelement[@content='as should "this"']

xpathquery('this\'ll means problems');
# //myelement[@content='this'll means problems']

xpathquery('\']/../privateelement[@content=\'private data');
# //myelement[@content='']/../privateelement[@content='private data']


the final sole revealing sql injection attacks yore.



now, i know fact there attributes containing unparalleled quotes attributes containing double quotes. given presumption an justification function, ideal proceed sanitize quarrel these?



Comments

Post a Comment

Popular posts from this blog

list macos calm editors formula editors

i searched found maudite's doubt text editors nonetheless windows. as have doubt guessed, i am perplexing out there any text/code editors mac besides i know of. i'll correct post consolidate editors listed. free textwrangler xcode mac vim aquamacs closer uncanny emacs jedit editra eclipse netbeans kod textmate2 - gpl brackets atom.io commercial textmate bbedit subethaedit coda sublime calm 2 smultron webstorm peppermint articles associated subject faceoff, best calm editor ever? maceditors.com, mac editors comforts compared thank everybody total suggestions.
Read more

how hibernate @any-related annotations?

could someone explain me any-related annotations ( @any , @anymetadef , @anymetadefs @manytoany ) work practice. i have tough awaiting any useful support (javadoc alone isn't unequivocally helpful) these. i have so distant collected somehow assent referencing summary extended classes. case, since there an @onetoany annotation? 'any' referring unparalleled 'any', churned 'any'? a short, receptive illustrating instance unequivocally many appreciated (doesn't have compile). edit: many i accept replies answers give credit where due, i found both smink's sakana's answers informative. since i can't accept several replies the answer , i unfortunately symbol conjunction answer.
Read more

why does floated <input> control floated component slip over too distant right ie7, nonetheless firefox?

Image
hopefully settlement value thousand lines formula since i don't wish have frame down asp.net code, html, javascript, css yield an instance (but i'll supply i on ask someone doesn't contend "oh, i've seen before! try this...") [actually, i post formula css - bottom question]. here apportionment form page being displayed firefox: the blue boxes surrogate stylings <label> add-on orange lines surrogate border styles <div> tags (so i where extend break). <label> 's styled float: left <div 's right. addition, heir controls <div> also float:left definitely line adult tip <div> (since there taller controls multiline textboxes down below). the radio buttons generated an asp control, wrapped <span> - also floated left given heir <div> . here same apportionment shade rendered ie7: there few teenager digest differences, nonetheless large that's pulling me crazy additional white space beside <input> con...
Read more