2009/6/11 HallMarc Websites <marc@xxxxxxxxxxxxxxxxxxxx> > > > > -----Original Message----- > > From: tedd [mailto:tedd.sperling@xxxxxxxxx] > > Sent: Thursday, June 11, 2009 9:28 AM > > To: PHP-General List > > Subject: Re: Preventing XSS Attacks > > > > At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: > > > > > >So something like this would be acceptable?: > > > > > >$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; > > >$searchTerms = htmlentities($searchTerms); > > >$dbSearchTerms = mysql_real_escape_string($searchTerms); > > > > > >Giving me two variables, one for display output to user, the other for > > >use in the database? > > > > > >Thanks > > >Ash > > > > Ash: > > > > I wouldn't use $_REQUEST. If you know the request method then use it. > > > > There can be problems using $_REQUEST. > > > > Cheers, > > > > tedd > > > > -- > > ------- > > http://sperling.com http://ancientstones.com http://earthstones.com > > > > I agree with tedd whole heartedly and I want to repeat the importance of > protecting the data coming back from the db as well by using > safeEscapeString in your queries and again the reason for this is to > prevent > malicious code from being executed. > > As far as CSRF/XSRF take a read here > http://shiflett.org/articles/cross-site-request-forgeries > > [Marc Hall - HallMarc Websites - http://www.hallmarcwebsites.com > 610.446.3346] > > I'd recommend that you *always* use ENT_QUOTES as the second parameter on htmlentities or htmlspecialchars. Otherwise a single ' will not be escaped, which may be evil. Also be sure that you don't code a possibility to include local or even remote files: It's so easy to Inject code into logfiles. include('whatever'.$_REQUEST['var'].'.whatever') is not a sufficient protection. Also, like someone already mentioned, *always* prefer _POST over _REQUEST, when dealing with a FORM with method POST! Regards
