Dan wrote:
I've always heard it is bad if you let a user type some input, then show
it back to them w/o sanatizing the code. Eg. I have a form, where the
user types something, they hit submit and it submits to itself then
prints back to the user something like, account created with password:
whatever they typed.
Why and how do you sanatize what they typed before echoing it back to
them? I figured it was something like they could type in PHP commands
but I tried typeing phpinfo(); into the box and submitting. All that
happened is that it echoed phpinfo();
Can someone explain this?
The main danger is Javascript. If a user can submit some Javascript to
your site that it then outputs to other users you've got yourself one
big security hole.
As for sanitizing content, the easy rule is to use htmlentities when you
output it. That will effectively neutralise any HTML tags they've used,
including scripts.
If you want to allow a subset of HTML then you need to be very careful
because Javascript can be attached to any tag through events. There are
plenty of resources on the web describing the various methods you can
use to do it safely. I usually use a very restricted set of tags and
strip anything else.
Finally make sure you test it thoroughly. Try entering every combination
of invalid content you can, and also make sure you give it to the
smartest friend you have to do the same - ideally someone who's had
nothing to do with the development. Other people will always be more
devious than you are when it comes to trying to break your code.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
