cleaning/sanitizing xpath attributes


i need boldly make an xpath query an component attribute, where charge value presumption user. i'm capricious cleaning sanitizing value hinder xpath homogeneous sql injection attack. instance (in php):



<?php
function xpathquery($attr) {
    $xml = simplexml_load_file('example.xml');
    relapse $xml->xpath("//myelement[@content='{$attr}']");
}

xpathquery('this should work fine');
# //myelement[@content='this should work fine']

xpathquery('as should "this"');
# //myelement[@content='as should "this"']

xpathquery('this\'ll means problems');
# //myelement[@content='this'll means problems']

xpathquery('\']/../privateelement[@content=\'private data');
# //myelement[@content='']/../privateelement[@content='private data']


the final sole revealing sql injection attacks yore.



now, i know fact there attributes containing unparalleled quotes attributes containing double quotes. given presumption an justification function, ideal proceed sanitize quarrel these?



Comments

Post a Comment

Popular posts from this blog

why does floated <input> control floated component slip over too distant right ie7, nonetheless firefox?

Image
hopefully settlement value thousand lines formula since i don't wish have frame down asp.net code, html, javascript, css yield an instance (but i'll supply i on ask someone doesn't contend "oh, i've seen before! try this...") [actually, i post formula css - bottom question]. here apportionment form page being displayed firefox: the blue boxes surrogate stylings <label> add-on orange lines surrogate border styles <div> tags (so i where extend break). <label> 's styled float: left <div 's right. addition, heir controls <div> also float:left definitely line adult tip <div> (since there taller controls multiline textboxes down below). the radio buttons generated an asp control, wrapped <span> - also floated left given heir <div> . here same apportionment shade rendered ie7: there few teenager digest differences, nonetheless large that's pulling me crazy additional white space beside <input> con...
Read more

grails record upload problems

i'm perplexing heed record upload formula grails website, i'm controlling problems. i'm controlling same formula found . here code: <g:form action="upload" method="post" enctype="multipart/form-data"> <input type="file" name="myfile" /> <input type="submit" value="upload" /> </g:form> and def upload = { def f = request.getfile('myfile') if(!f.empty) { flash.message = 'success' } else { flash.message = 'file can't empty' } } i'm receiving following blunder during runtime: message: signature method: org.mortbay.jetty.request.getfile() convenient justification types: (java.lang.string) values: {"myfile"} caused by: groovy.lang.missingmethodexception: signature method: org.mortbay.jetty.request.getfile() convenient justification types: (java.lang.string) values: {"myfile"} ...
Read more

how i emanate permitted url asp.net mvc?

how i beget permitted urls within asp.net mvc framework? example, we've got url looks this: http://site/catalogue/browsebystylelevel/1 the 1 id inspect turn (higher case) browse, nonetheless i'l reformat url same proceed does it. for example, twin urls take same place: edit: permitted biased url referred slug .
Read more