Re: [PHP] help create community newbie guide to security
From: Raditha Dissanayake (jabber_at_raditha.com)
Date: 11/11/03
- Next message: Binay: "displaying numbers up to 2 places of decimal."
- Previous message: Chris Shiflett: "Re: [PHP] help create community newbie guide to security"
- In reply to: Chris Shiflett: "Re: [PHP] help create community newbie guide to security"
- Next in thread: Lawrence Kennon: "Re: [PHP] help create community newbie guide to security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 11 Nov 2003 10:36:52 +0600 To: php-general@lists.php.net
Nice work chris, you have left precious little for the others to comment
on :-)
>>10. Use htmlentities() on data that will be put through a SQL query to
>>prevent XSS attacks. http://php.net/htmlentities
>>
>>
>
>This is a nice suggestion. While htmlentities() cannot be guaranteed to
>defend against all XSS vulnerabilities, I would bet that most XSS
>vulnerabilities are due to a complete lack of filtering logic. If a
>developer doesn't even bother using htmlentities(), neglect is the best
>word to describe his/her approach to developing.
>
>In some cases, the developer may want certain HTML elements interpreted
>rather than escaped in this way. Perhaps you could mention that something
>like str_replace() can be used to convert specific HTML entities back to
>their original form. This method should filter any unwanted elements.
>
>
but i would still like to add 2c by saying there is also the option of
strip_tags which does a more drastic sanitization by removing anything
that smells of html.
-- Raditha Dissanayake. ------------------------------------------------------------------------ http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar.
- Next message: Binay: "displaying numbers up to 2 places of decimal."
- Previous message: Chris Shiflett: "Re: [PHP] help create community newbie guide to security"
- In reply to: Chris Shiflett: "Re: [PHP] help create community newbie guide to security"
- Next in thread: Lawrence Kennon: "Re: [PHP] help create community newbie guide to security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
