Web lists-archives.com

Re: [PHP] Dealing With User Entering a Script




On Fri, 2016-07-22 at 13:52 -0700, Jeffry Killen wrote:
> On Jul 22, 2016, at 11:19 AM, Stephen wrote:
> 
> > I dug back to see where I git the idea of using htmlentities() on  
> > user input.
> >
> > This came from the book Modern PHP and deals with a user entering in  
> > a text box something like:
> >
> > <script>window.location.href='http://example.com';</script>
> >
> > Is there a better way of dealing with this?
> >
> >
> > For context, I am creating a user registration field and there is a  
> > textarea field for their bio.
> >
> > Thank you!
> >
> > -- 
> > Stephen
> >
> > -- 
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> 
> There should not be a problem with script code entered into  a text  
> field or
> textarea element because the browser treats it like a single quoted  
> string.
> So the script won't be run in the client.
> 
> I would have php look for embedded script tags and str_replace() them
> when the form data is submitted. OR, if you are up on javascript, have  
> it
> intercept the submit process and clean the form input.
> 
> I have developed a crude way of editing source code that load anything
> and every thing into a textarea element for editing with no worry of the
> browser executing any code in the textarea. Even php open and close
> tags in php script files won't cause it to run php code.
> 
> JK
> 

You should never solely rely on any client-side validation, as that is
easily circumvented.

As I said before, you shouldn't be looking to just alter content
submitted to your app if it doesn't need it. If that data is only going
to the DB, then it does not need <script> tags removed.

If you're displaying that user-supplied content on your website
afterwards, then sanitise it only at the point that it is being
displayed. 

I know it's very tempting to just clobber user input with everything
that is at hand, but it really pays off to understand the entire process
of the route data takes through your application and the risks at each
part. Running HTML sanitisation on data intended for a database is not
advised and sometimes pointless (e.g. an app that outputs user
submissions into a CSV for download).

I wrote something on this just under 2 years ago for my last company as
part of a coding standards document:
https://github.com/tmwagency/TMW-PHP-coding-standards/blob/master/php%
20coding%20standards%20github%20format.md#sql-injection

It also has a link to more resources on why running htmlentities before
a database insert is not recommended.

Thanks,
Ash

http://www.ashleysheridan.co.uk




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php