On Thu, 2009-06-11 at 18:27 +0200, Jan G.B. wrote: > 2009/6/11 HallMarc Websites <marc@xxxxxxxxxxxxxxxxxxxx> > > > > > > > > -----Original Message----- > > > From: tedd [mailto:tedd.sperling@xxxxxxxxx] > > > Sent: Thursday, June 11, 2009 9:28 AM > > > To: PHP-General List > > > Subject: Re: Preventing XSS Attacks > > > > > > At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: > > > > > > > >So something like this would be acceptable?: > > > > > > > >$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; > > > >$searchTerms = htmlentities($searchTerms); > > > >$dbSearchTerms = mysql_real_escape_string($searchTerms); > > > > > > > >Giving me two variables, one for display output to user, the other for > > > >use in the database? > > > > > > > >Thanks > > > >Ash > > > > > > Ash: > > > > > > I wouldn't use $_REQUEST. If you know the request method then use it. > > > > > > There can be problems using $_REQUEST. > > > > > > Cheers, > > > > > > tedd > > > > > > -- > > > ------- > > > http://sperling.com http://ancientstones.com http://earthstones.com > > > > > > > I agree with tedd whole heartedly and I want to repeat the importance of > > protecting the data coming back from the db as well by using > > safeEscapeString in your queries and again the reason for this is to > > prevent > > malicious code from being executed. > > > > As far as CSRF/XSRF take a read here > > http://shiflett.org/articles/cross-site-request-forgeries > > > > [Marc Hall - HallMarc Websites - http://www.hallmarcwebsites.com > > 610.446.3346] > > > > > > I'd recommend that you *always* use ENT_QUOTES as the second parameter on > htmlentities or htmlspecialchars. Otherwise a single ' will not be escaped, > which may be evil. > > Also be sure that you don't code a possibility to include local or even > remote files: It's so easy to Inject code into logfiles. > include('whatever'.$_REQUEST['var'].'.whatever') is not a sufficient > protection. > > Also, like someone already mentioned, *always* prefer _POST over _REQUEST, > when dealing with a FORM with method POST! > > Regards In this case I'm expecting input from both forms and links, so have to use $_REQUEST, really. As far as I can tell, $_REQUEST is no less safe than any of the others, as they are all getting their data from the user, so it's all unsafe until validated/cleaned. Thanks for the ENT_QUOTES thing, I really haven't had my head screwed on the last few days! Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
