Re: Echoing input w/o sanatizing - what is the danger

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, August 7, 2007 4:57 pm, Dan wrote:
> I've always heard it is bad if you let a user type some input, then
> show it
> back to them w/o sanatizing the code.  Eg. I have a form, where the
> user
> types something, they hit submit and it submits to itself then prints
> back
> to the user something like, account created with password: whatever
> they
> typed.
>
> Why and how do you sanatize what they typed before echoing it back to
> them?
> I figured it was something like they could type in PHP commands but I
> tried
> typeing phpinfo(); into the box and submitting.  All that happened is
> that
> it echoed phpinfo();
>
> Can someone explain this?

You're actually conflating not one, but TWO (!) different problems.

Number 1 is to "filter input".
What that means specifically is to be sure that the user input looks
EXACTLY the way you expect.

Number 2 is to "escape output"
What that means specifically is to transform any given chunk of data
to a format suitable for its output medium.

For example, ANY output headed to the browser should have
http://php.net/htmlentities called on it.

If it's headed out to a database, it should have a database-specific
function called, such as http://php.net/mysql_real_escape_string

If it's going to be data in a GET parameter in a URL, it needs
http://php.net/urlencode called FIRST, and then htmlentities.

If it's headed to XML, however, it should have some kind of XML
function called to wrap it into CDATA or a pre-defined data type /
format.

If it's headed out to Javascript, I think you want http://php.net/json

So, you've really got TWO phases:

filter input; escape output


Why it matters is that Evil People do exist, and they WILL find a way
to cause damage to you or even to others, if you fail to do this.

Common hacks include executing SQL to damage databases, or adding
Javascript to deface websites, or even adding Javascript to use YOUR
web-site in an attack upon another website.

Here is a good starting point for some of the details of what to do
and why:
http://phpsec.org/

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux