Geek Answers Handbook

PHP: Best Security Techniques for Displayed Information?

In PHP, I know that using parameterized queries is the best way to prevent SQL injection.

But what about disinfection of user input that will be used for other purposes, for example:

  • Return to user (potential cross-site scripting vector)
  • Email addressing or message body filling

Is htmlentities() best way to disinfect for use without using a database? What is considered best practice here?

+7
security php sanitization user-input
source share
4 answers

In php the best xss filter:

 htmlspecialchars($_POST['param'],ENT_QUOTES);

The reason you also need to encode quotes is because you don't need to <> use some xss. for example, this is vulnerable to xss:

 print('<A HREF="http://www.xssed.com/'.htmlspecialchars($_REQUEST[xss]).'">link</a>');

You do not need <> to execute javascript in this case, because you can use onmouseover, here is an example attack:

 $_REQUEST[xss]='" onMouseOver="alert(/xss/)"';

ENT_QUOTES does double quotes.

Email is a bit different, javascript should not be executed by the email client, and if that is the case then your site will not be affected due to the same origin policy. But to be safe, I would still use htmlspecialchars($var,ENT_QUOTES); . HOWEVER, the PHP mail () function can succumb to another type of vulnerability called CRLF injection. Here is an example of a vulnerability from PHP-Nuke . If you have a function call as follows: mail($fmail, $subject, $message, $header); Then you need to make sure that the user cannot enter \r\n in the $ header.

Vulnerable Code:

 $header="From: \"$_GET[name]\" <$ymail>\nX-Mailer: PHP";

fixed:

 $_GET[name]=str_replace(array("\r","\n"),$_GET[name]); $header="From: \"$_GET[name]\" <$ymail>\nX-Mailer: PHP";
+5
source share

You can also view the HTML cleaner, which will strip any dangerous HTML code and leave safe input. You can also create your own rules about which HTML to enable / disable.

http://htmlpurifier.org/

+2
source share

Well, you can first create rules for certain fields, for example, by email, the only thing that should consist of letters, numbers, @ (at-symbol? What is it really called) and period, so you can’t create XSS from this not you need to spend resources using htmlentities() or htmlspeicalchars() .

+1
source share

Not,

1) prepared statements are not a solution for SQL injection. In most cases, prepared statements involve variable binding and, therefore, transparent shielding, which is an effective way to prevent SQL injection.

2) you DO NOT sanitize the input - you deactivate the output . Confirm your input by all means (for example, make sure that the start date is before the end date), but the data representation should only be changed at the place where it leaves your PHP code. The method of disinfecting the data written directly in HTML is different from how you disinfect the data written in the URL, the way you sanitize the data to write to the javascript string variable, the way you sanitize the data to be inserted into SQL - the request is different from how you sanitize the data before sending it to the modem, ...

... what are you going to do? create all possible data representations? Create a universal data view?

http://xkcd.com/327/

FROM.

0
source share

More articles:


All Articles