Richard Lynch wrote:
Suppose PHP had a superglobal $_CLEAN which was an empty array.
This seems like a decent idea, for two reasons:
1. Developers don't have to remember to initialize their array, which
offers some protection. PHP can do this for them.
2. Variable scope issues are not a concern. Currently, using this
technique within functions and classes is clumsy at best.
However, most security issues like XSS and SQL injection aren't really
input filtering problems. Often, input filtering can effectively
eliminate these vulnerabilities (and there's no excuse to not be
filtering input), but escaping addresses the root cause of the problem.
For example:
<?php
header('Content-Type: text/html; charset=UTF-8 ');
echo htmlentities($_GET['foo'], ENT_QUOTES, 'UTF-8');
?>
Although this example demonstrates a lack of input filtering, it does
not demonstrate a cross-site scripting (XSS) vulnerability.
The problem is that input is a lot easier to manage, because data is
clearly identifiable as such. Output is a completely different story,
because what's considered data and what isn't depends upon the context,
and only the developer really knows:
<?php
$first_name = 'Chris';
$last_name = 'Shiflett';
$city = 'New York';
$state = 'NY';
$name = "<b>$first_name $last_name</b>";
$location = "<i>$city, $state</i>";
echo "<p>My name is $name, and I live in $location.</p>";
?>
If you think of this example from the perspective of echo, it's
difficult to tell what part of the string is meant to be only data. In
this case, the data is Chris, Shiflett, New York, and NY. The HTML tags
are meant to be interpreted. As the developer, that's easy for me to
know, but it's hard to make this easier to keep up with. At best, any
solution requires developers to declare their intent somehow.
In the past, I've recommended simple naming conventions like Ben
demonstrated earlier. These work well, but it takes a good bit of
discipline. Now I'm trying to think of something better. I've also been
looking around at other languages and frameworks, and I haven't found an
elegant solution (meaning, they all require clumsy syntax or just as
much discipline).
What does Chris Shiflett use to validate an email? Enquiring
minds want to know! :-)
I'm afraid I'll only disappoint you. :-)
I'm pretty lenient with email addresses and use the pattern from the PHP
Cookbook (David Sklar and Adam Trachtenberg). I usually modify it to not
allow angled brackets, since I don't know any email address that has
those (but, they're probably OK as far as the spec goes).
I rely on escaping to protect against things like XSS and SQL injection,
so the filtering just gives me reasonable assurance that the email
address looks right and has a good chance of being a real email address.
I always send something (password, token, etc.) to an email address if I
care to make sure it works.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php