| Author |
 Topic  |
|
|
bjlt
Senior Member
1144 Posts |
 Posted - 08 December 2002 : 12:46:45
|
while studing snitz code, I have several questions on the function chkString. Thank you for your time first.
1. displayimage,
Case "displayimage" fString = Replace(fString, " ", "")
fString = Replace(fString, """", "")
fString = Replace(fString, "<", "")
fString = Replace(fString, ">", "")
chkString = fString
exit function
I think the replace here is to filter out hazardous codes, then is it sufficient as we do more filter in ReplaceImageTags? I'm sorry that I'm not familiar with the hazardous methods. 
case "title"
Case "title"
if strAllowHTML <> "1" then
fString = HTMLEncode(fString)
end if
if strBadWordFilter = "1" then
fString = chkBadWords(fString)
end if
chkString = fString
exit function
in case "title" exit function is executed, then later in chkString, we still have if fField_Type <> "title" then
3.
Case "decode"
fString = HTMLDecode(fString)
chkString = fString
exit function
it's used in codes like chkForumModerator(Forum_ID, chkString(strDBNTUserName,"decode")) only.
why do we need it?
in
function chkForumModerator(fForum_ID, fMember_Name)
Dim strSql, rsChk
'## Forum_SQL
strSql = "SELECT mo.FORUM_ID "
strSql = strSql & " FROM " & strTablePrefix & "MODERATOR mo, " & strMemberTablePrefix & "MEMBERS me "
strSql = strSql & " WHERE mo.FORUM_ID = " & fForum_ID & " "
strSql = strSql & " AND mo.MEMBER_ID = me.MEMBER_ID "
strSql = strSql & " AND me." & strDBNTSQLName & " = '" & chkString(fMember_Name,"SQLString") & "'"
while in chkString("",SQLString) we have fString = HTMLEncode(fString)
it seems that we decodes and then encodes "strDBNTUserName" here? and though strDBNTUserName is read from cookie which could be manually set by the user, what's the purpose of the users to HTMLencode/decode in the name?
4. "hidden"
it seems that case "hidden" is not used in the code, what's it designed for?
5. consistency of badwordfilter
it seems that as we now do the badwordfilter when stores the data, while still do it when output it.
in FormatStr and cases "title", "pagetitle", "display", "search" we have badwordfilter, while we also do it in cases "message". filter and then store it in the database eliminating the needs to do it when output which should be faster, while the admins/moderators cannnot see the actual badwords which is needed in some occasions.
I think we just need to do it once either on outputing or storing.
6 SQLString
this is to continue the discussion in topic http://forum.snitz.com/forum/topic.asp?TOPIC_ID=39227
in case SQLString there's a line reads
fString = HTMLEncode(fString)
the answer why that line is there is quoted below
quote:
Richard Kinser
It's done the way it's done so that data already in the database won't need to be changed if the admin changes whether HTML is turned on or off. Basically we store the data in the database the same whether HTML is turned on or off.
David K
exactly, it's safer to save html in an encoded format and later decode it if HTML is allowed, then to encode it when loading (should be much faster as well)
I agree with both of them, however, it seems we don't have consistency on this matter.
it seems that Display Types: displayimage, pagetitle, title, urlpath, JSurlpath, display, admindisplay, edit, search; decode are all to display data, yet in many of them we still have
if strAllowHTML <> "1" then
fString = HTMLEncode(fString)
end if
If we do HTMLEncode all the time, shouldn't we use
if strAllowHTML = "1" then
fString = HTMLDecode(fString)
end if
in the displaying cases,
while remove "if strAllowHTML = "1" then" "end if" in case "message"? and always do HTMLEncode to store forum data?
7. Also in CleanCode the last line is
fString = Replace(fString, "'", "'")
why do we need it?
Thanks in advance |
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 08 December 2002 : 14:55:39
|
1) ReplaceImageTags is used by FormatStr and not by chkString they have different functions
2) probably because the exit function was added later than the if statement was used, what you have to remember is that we do not re-write all the code every time there is a release, so there will allways be redundant code in the files.
3) because it obviously needs to be htmldecoded, and none of the other chkstring functions do only that.
4) redundant code
5) it is done this way for compatability ith older data where the badword filter was different.
6) Richard already explained this.
7) No idea since it doesn't do anything, it either should be changed or is a mistake. |
 |
|
|
bjlt
Senior Member
1144 Posts |
Posted - 08 December 2002 : 16:05:38
|
Thanks HuwR.
I'm afraid I still have some questions. 
1) to my understanding that both the filtering in ReplaceImageTags and "displayimage" are to remove hazardous characters. Does it because we have Replace(fString, " ", "") in displayimage so we don't need to filter other characters like what it's done in ReplaceImageTags?
3) it' ok to have a decode function there, but I wonder why it's used and it seems to be the only use of it in chkForumModerator(Forum_ID, chkString(strDBNTUserName,"decode"))
Thanks for sintz now I can read asp codes pretty well, yet I'm not a programmer and I failed to see the obviousness. To my understanding,
strDBNTSQLName is supposed to be the username, which is entered into the database using chkString(trim(Request.Form("Name")),"SQLString"), while in SQLString we always do HTMLEncode.
Then in chkForumModerator(Forum_ID, chkString(strDBNTUserName,"decode")) we do HTMLDecode
But the sql string in chkForumModerator is strDBNTSQLName & " = '" & chkString(fMember_Name,"SQLString") do HTMLEncode
strDBNTUserName = trim(Request.Cookies(strUniqueID & "User")("Name"))
strDBNTFUserName = trim(chkString(Request.Form("Name"),"SQLString"))
if len(strDBNTFUserName) = 0 then strDBNTFUserName = trim(chkString(Request.Form("User"),"SQLString"))
in docookie we use
Response.Cookies(strUniqueID & "User")("Name") = strDBNTFUserName
let's say we have a username <, it's stored in the db as & lt , in the cookie it's & lt , when chkString(strDBNTUserName,"decode" it's <, then in sql of chkForumModerator it is encoded again as & lt and compared with the data in the database.
besides all that, a username now cannot have < or > in it.
I know strDBNTUSerName is from the cookie and should be checked and chkForumModerator is a security function, and nothing's wrong for better security. I just wonder why we decode then encode to compare it with encoded characters ?
6) Yes I've read Rechard's reply. my question is, if we store it always as encoded so that we don't need to alter the data if the admin turn on/off html, why we don't do it in case "message" which sould be the major part of the database?
and if it's always encoded, shouldn't we have codes like "if html is on then decode it" somewhere? I see no such codes. |
Edited by - bjlt on 10 December 2002 11:23:11 |
|
|
|
bjlt
Senior Member
1144 Posts |
Posted - 08 December 2002 : 16:52:50
|
I have severl more questions:
8. why don't we need
fString = replace(fString,"+","#043;")
in case "title" while we do in case "display"?
I think "titel" is just a kind of display and it might be entered by the user as well?
|
|
|
|
bjlt
Senior Member
1144 Posts |
Posted - 10 December 2002 : 06:14:48
|
| any one would like to help me on these quesitons? |
|
|
|
David K
Junior Member
494 Posts |
Posted - 10 December 2002 : 16:50:31
|
| display can work with links, title doesn't |
|
|
|
bjlt
Senior Member
1144 Posts |
Posted - 10 December 2002 : 22:25:48
|
Thanks. I did a search on the net but I couldn't find an anwser why it's needed to replace(fString,"+","#043;")
if we want to work with links. Any one would like to explain it to me?
Thanks in advance.
How about my question on the only use of "decode"?
|
|
|
| |
Topic |
|
|
|
Topic Locked
