Last post Mar 31, 2009 10:03 PM by AmyZ
Mar 31, 2009 07:28 PM|AmyZ|LINK
Hi there, I'm looking for some advice on whether it is safe for me to use the FCK editor.
I'm using FCK editor where anybody can enter details which are then passed to my database. I then check the details before they are displayed on my website.
How safe is this? Is is possible for people to enter malicious script which will affect my database, website or computer? (Is this called SQL injection or cross site scripting?). If so, is there anyway to filter or remove this malicious script (without
removing the formatting tags)? Possibly by looking at the text entered when it is not formatted?
I'm just looking at the editor I'm using to write this text and wondering how I am stopped from entering some script or html? (<br />)
Is there any other safety issues I need to be aware of when using FCK editor? <br />
Any advice would be hugely appreciated :-)
Mar 31, 2009 07:46 PM|tatsky|LINK
I have used FCK Editor on a lot of websites without issue.
Entering HTML isn't really an issue, unless of course you then display that html on your page somewhere unchecked and the html includes some <style> tags etc which could affect the layout of your entire page. Imagine this html being rendered
That could ruin your pages.
I would check for script tags and rip them out. I am not sure if FCK editor does this for you anyway.
As for SQL injection, this is a complex area but here is a very simplitic example. Say you have some code like this
string mySQL = "Insert into content (htmlContent) values('" + FCKEditor.Xhtml + "')";
All well and good. But imagine is someone typed the following into the editor
'; drop table users;
then the resulting SQL would be;
Insert into content (htmlContent) values(''; drop table users;')
the semi colon ; denotes an end to the sql statement, so the first statement here would error
Insert into content (htmlContent) values('';
but the next one would cause you some problems if you had a users table in your database
drop table users;
This is a very simple example. People can do all sorts of sql injection, and use error messages to gleen information about your database structure.
To stop this form of attack you can do the following
string mySQL = "Insert into content (htmlContent) values(@htmlContent)";
then use a SqlCommand and declare the SqlParameter
As this is a parameterised query a string isn't being built up from bits of inputed data, and so there is less risk of a bad query being written like above.
Does this make sense and help at all?
Mar 31, 2009 10:03 PM|AmyZ|LINK
Beauty! You explained everything brilliantly and it makes pefect sense! Thank you so much! [:D]