The Holy Grail of Cleaning Input and Output in PHP

The holy grail of cleaning input and output in php?

No, there isn't.

Different modes of escaping are for different purposes. You cannot universally escape something.

For Databases: Use PDO with prepared queries

For HTML: Use htmlspecialchars()

For JSON: json_encode() handles this for you

For character sets: You should be using UTF-8 on your page. Do this, and set your databases accordingly, and watch those issues disappear.

Escaping output may help protect from which common security vulnerabilities?

Yeah, I think you're absolutely correct. I think your certification guide is wrong. Seems like a wonky question to begin with though anyway.

In both XSS and SQL Injection, the key here is that arbitrary data is used in a context without translating it to that context. In a way, this is all about disambiguating the "data" from the "command".

For HTML, the "data" is this arbitrary data that is presumably text. If you want to use text in HTML, you have to escape the reserved characters so that text isn't interpreted as HTML.

Likewise in SQL, if you're going to concatenate arbitrary values into a query, you need to make sure they don't get interpreted as part of the query itself (like quote marks or something), or you're going to have a bad day. (Better yet, fundamentally separate the data from the query itself using prepared/parameterized queries, and this becomes a non-issue.)

It makes no sense that escaping output has anything to do with SQL injection... unless that "output" is a query being output to a database server.

(Related: https://stackoverflow.com/a/7810880/362536)

Proper way to sanitize ALL posted fields?

If you are printing to the screen, then HTMLspecialchars should be fine:

echo htmlspecialchars($_POST['one']);

It converts any potential malicious javascript and HTML into characters like < so that it displays as text in your source code (meaning it cannot be executed) and to the user it looks like the original input displayed on the screen:

<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>

If you are on the other hand inserting into a database, then you will need to do some extra work.

When inserting into a database, you really need to use prepared statements (this will stop anyone doing anything funky with SQL to your database). I prefer to use PDO to make my connection.

The code will look like this (snipped from the docs on prepare):

<?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
?>

Is this sufficient security for user input in PHP

Once again, there is no universal escape function that just magically makes things "secure".

See this: https://stackoverflow.com/a/7810880/362536

Different escape methods are used for different things. You can't just run a bunch of data through a bunch of functions that are supposed to be used in specific contexts. You are creating garbage data, and are no more secure than you were with the raw user data in the first place.

php script to modify cico dhcp pool

Brad gave me the hints I needed to come to the required results thanks again

XSS attacks, multiple html sanitization

You can't reliably sanitize user input. It's a losing battle. As soon as you think you've filtered out all the "bad" characters, someone will pass in an escape sequence or something else unexpected

If you're using a database server, make sure all input is handled by pre-compiled stored procedures, and make sure that the user that the web app logs in as, only has EXECUTE perms. This prevents SQL injection and other mischief.

If you're worried about actual characters, make sure you have a "pass through OK characters" filter and not a "remove bad characters" filter. The number of "good characters" is finite, while the number of attack vectors is infinite.

As for your question about "<" characters, if the intended output is for user display, you can run the entire string through HttpServerUtility.HtmlEncode or it's equivalent in whatever language you use. This will convert the string into code that will display properly in the browser but not be interpreted.

It doesn't look like you're having a problem escaping it, it looks like you're having a problem deciding if you need to escape it. Pick a standard and stick with it, then convert as necessary. If it normally comes in unescaped, just store it that way, and escape it when you want to display it.


Related Topics

PHP Sort Array by Two Field Values

How to Iterate Over the Results in a MySQLi Result Set

Send Array With Ajax to PHP Script

Can HTML Be Embedded Inside PHP "If" Statement

"[Notice] Child Pid Xxxx Exit Signal Segmentation Fault (11)" in Apache Error.Log

Is MySQL_Real_Escape_String() Broken

Is PHP Compiled or Interpreted

PHP Compare Time

Codeigniter: Create New Helper

Get Last Part of Url PHP

Logical Operators, || or Or

What Is the Best Collation to Use For MySQL With PHP

PHP Json_Decode() Returns Null With Valid Json

Difference Between If () { } and If (): Endif;

Why Is My $_Env Empty

Formatting Datetime Object, Respecting Locale::Getdefault()

Adding One Day to a Date

Notice: Trying to Get Property of Non-Object Error


Leave a reply



Submit