[nycphp-talk] Re: New PHundamentals Article
Chris Shiflett
shiflett at php.net
Mon Jan 5 13:47:16 EST 2004
--- Emmanuel Décarie <emm at scriptdigital.com> wrote:
> (1) "Best Practice: Do not use the function addslashes but, instead,
> use a function that is specific to your database."
>
> Could the tutorial elaborate a little bit more on this?
First of all, this looks to be another great phundamentals article. I
really like this series (or whatever you want to call it).
I agree with Emmanuel that some elaboration would be useful here. Whenever
a best practice is seldom followed, a very clear justification can be a
great thing. Being right and convincing someone else that you're right are
often very different things. :-)
> (2) htmlentities/htmlspecialchars
>
> I think the tutorial should insist that the best practice is not using
> these functions on data that you want to *insert* in a database.
More elaboration in general might be good. I would consider these
functions the "least you can do" when you're displaying potentially
tainted data to the user. If you're not displaying data, htmlentities()
probably isn't going to offer you the type of protection you seek.
There are also two different opinions on this:
1. Perform htmlentities() prior to storage.
2. Perform htmlentities() prior to display.
The first can be better if you must display data in HTML very often.
Rather than perform htmlentities() every time, you can just pull straight
from the database.
The second is usually best if you have other uses for the data besides
displaying it in HTML. It is also best if your security model revolves
around cleaning up data the moment it enters into your application. This
can be a good approach in terms of keeping things simple for your
developers.
The best thing to do in general would be to validate your data according
to exactly what it is supposed to be. I'm not creative enough to think of
a way to inject some XSS that subverts htmlentities(), but it seems like
something that might be possible. Also, adhering to strong security
practices is a good idea in general, since such things can potentially
protect you from attacks that you're not even aware of.
> PS: My spell checker (Grammarian/OS X) flagged 'conspicously' and
> wanted 'conspicuously' instead.
Probably because conspicously is not a word. :-)
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
More information about the talk
mailing list