Thanks for the info Richard. I'll check out that website. Do they recommend any literature about PHP security, or is there a "bible"(one book that everyone recomends, in EE it's http://www.amazon.com/Elements-Analysis-Electrical-Electronic-Engineering/dp/0070612854) for PHP security like there usually is for whatever field you're in. On 8/7/07, Richard Lynch <ceo@xxxxxxxxx> wrote: > > On Tue, August 7, 2007 4:57 pm, Dan wrote: > > I've always heard it is bad if you let a user type some input, then > > show it > > back to them w/o sanatizing the code. Eg. I have a form, where the > > user > > types something, they hit submit and it submits to itself then prints > > back > > to the user something like, account created with password: whatever > > they > > typed. > > > > Why and how do you sanatize what they typed before echoing it back to > > them? > > I figured it was something like they could type in PHP commands but I > > tried > > typeing phpinfo(); into the box and submitting. All that happened is > > that > > it echoed phpinfo(); > > > > Can someone explain this? > > You're actually conflating not one, but TWO (!) different problems. > > Number 1 is to "filter input". > What that means specifically is to be sure that the user input looks > EXACTLY the way you expect. > > Number 2 is to "escape output" > What that means specifically is to transform any given chunk of data > to a format suitable for its output medium. > > For example, ANY output headed to the browser should have > http://php.net/htmlentities called on it. > > If it's headed out to a database, it should have a database-specific > function called, such as http://php.net/mysql_real_escape_string > > If it's going to be data in a GET parameter in a URL, it needs > http://php.net/urlencode called FIRST, and then htmlentities. > > If it's headed to XML, however, it should have some kind of XML > function called to wrap it into CDATA or a pre-defined data type / > format. > > If it's headed out to Javascript, I think you want http://php.net/json > > So, you've really got TWO phases: > > filter input; escape output > > > Why it matters is that Evil People do exist, and they WILL find a way > to cause damage to you or even to others, if you fail to do this. > > Common hacks include executing SQL to damage databases, or adding > Javascript to deface websites, or even adding Javascript to use YOUR > web-site in an attack upon another website. > > Here is a good starting point for some of the details of what to do > and why: > http://phpsec.org/ > > -- > Some people have a "gift" link here. > Know what I want? > I want you to buy a CD from some indie artist. > http://cdbaby.com/browse/from/lynch > Yeah, I get a buck. So? > >
