Filtering and Escaping (Was: Select and $_POST)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Lynch wrote:
Suppose PHP had a superglobal $_CLEAN which was an empty array.

This seems like a decent idea, for two reasons:

1. Developers don't have to remember to initialize their array, which offers some protection. PHP can do this for them.

2. Variable scope issues are not a concern. Currently, using this technique within functions and classes is clumsy at best.

However, most security issues like XSS and SQL injection aren't really input filtering problems. Often, input filtering can effectively eliminate these vulnerabilities (and there's no excuse to not be filtering input), but escaping addresses the root cause of the problem. For example:

<?php

header('Content-Type: text/html; charset=UTF-8 ');
echo htmlentities($_GET['foo'], ENT_QUOTES, 'UTF-8');

?>

Although this example demonstrates a lack of input filtering, it does not demonstrate a cross-site scripting (XSS) vulnerability.

The problem is that input is a lot easier to manage, because data is clearly identifiable as such. Output is a completely different story, because what's considered data and what isn't depends upon the context, and only the developer really knows:

<?php

$first_name = 'Chris';
$last_name = 'Shiflett';
$city = 'New York';
$state = 'NY';

$name = "<b>$first_name $last_name</b>";
$location = "<i>$city, $state</i>";

echo "<p>My name is $name, and I live in $location.</p>";

?>

If you think of this example from the perspective of echo, it's difficult to tell what part of the string is meant to be only data. In this case, the data is Chris, Shiflett, New York, and NY. The HTML tags are meant to be interpreted. As the developer, that's easy for me to know, but it's hard to make this easier to keep up with. At best, any solution requires developers to declare their intent somehow.

In the past, I've recommended simple naming conventions like Ben demonstrated earlier. These work well, but it takes a good bit of discipline. Now I'm trying to think of something better. I've also been looking around at other languages and frameworks, and I haven't found an elegant solution (meaning, they all require clumsy syntax or just as much discipline).

What does Chris Shiflett use to validate an email? Enquiring
minds want to know! :-)

I'm afraid I'll only disappoint you. :-)

I'm pretty lenient with email addresses and use the pattern from the PHP Cookbook (David Sklar and Adam Trachtenberg). I usually modify it to not allow angled brackets, since I don't know any email address that has those (but, they're probably OK as far as the spec goes).

I rely on escaping to protect against things like XSS and SQL injection, so the filtering just gives me reasonable assurance that the email address looks right and has a good chance of being a real email address. I always send something (password, token, etc.) to an email address if I care to make sure it works.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux