Web lists-archives.com

Re: [PHP] Dealing With User Entering a Script




Hi:

You asked:

> Is there a better way of dealing with this?

When dealing with any web-data you collect, you need to consider what you’re going to do with it.

I think "Richard Lynch” said it best:

<quote>

You're actually conflating not one, but TWO (!) different problems.

Number 1 is to "filter input".
What that means specifically is to be sure that the user input looks
EXACTLY the way you expect.

Number 2 is to "escape output"
What that means specifically is to transform any given chunk of data
to a format suitable for its output medium.

For example, ANY output headed to the browser should have
http://php.net/htmlentities called on it.

If it's headed out to a database, it should have a database-specific
function called, such as http://php.net/mysql_real_escape_string

If it's going to be data in a GET parameter in a URL, it needs
http://php.net/urlencode called FIRST, and then htmlentities.

If it's headed to XML, however, it should have some kind of XML
function called to wrap it into CDATA or a pre-defined data type /
format.

If it's headed out to Javascript, I think you want http://php.net/json

So, you've really got TWO phases:

filter input; escape output

Why it matters is that Evil People do exist, and they WILL find a way
to cause damage to you or even to others, if you fail to do this.

Common hacks include executing SQL to damage databases, or adding
Javascript to deface websites, or even adding Javascript to use YOUR
web-site in an attack upon another website.

Here is a good starting point for some of the details of what to do
and why:
http://phpsec.org/

ALSO

If some random 'net user can send POST data, and you just blindly spit
it out, with no filtering and no escaping, then, yes, that is
insecure.

There are all manner of nasty things that can be done to this setup by
other users.

Example:
They can send whatever POST data they want, which can include
JavaScript, which you blindly echo out, which can make your site
"look" like another site's login, but sends THEM the login info.

So now they are using your site as a dropbox in a phishing attack.

And that's just ONE example from a dozen.

</quote>

Cheers,


tedd

_______________
tedd sperling
tedd.sperling@xxxxxxxxx


---


> On Jul 22, 2016, at 2:19 PM, Stephen <stephen-d@xxxxxxxxxx> wrote:
> 
> I dug back to see where I git the idea of using htmlentities() on user input.
> 
> This came from the book Modern PHP and deals with a user entering in a text box something like:
> 
> <script>window.location.href='http://example.com';</script>
> 
> Is there a better way of dealing with this?
> 
> 
> For context, I am creating a user registration field and there is a textarea field for their bio.
> 
> Thank you!
> 
> -- 
> Stephen
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php