NYCPHP Meetup

[Dan Cech]

max wrote:
> Well, i personally use switch() to filter main input (like index.php?section=about)
> and then everything thats GET or POST goes into addslashes and either has html/script things stripped, or converted to htmlentities.
> if you look at preg_replace on php.net manual, you'll find some examples on how to strip html/script tags easily.
> This audit was still usefull in my opinion. Its good to be able to see what someone who charges, and apparently successfully, for their scanning software would do to simulate real attacks.
> Obviously, i can google for XSS, and I have, but another set of eyes is always great.
> 
> 
> 2c...

When you get right down to it, if you use the basic precautions laid out
in the relevant PHundamentals article
(http://www.nyphp.org/phundamentals/storingretrieving.php), you will not
need to 'strip' or 'filter' input to avoid breaking the application itself.

There are very few reasons to strip or filter data:

* if you need to echo user input to the browser as HTML, in which case
best practice would be to vet the tags using a whitelist approach

* if you are enforcing business rules (allowed values for a field, etc)

* if you are outputting data to other systems (eg sending email headers)

Provided you treat the data correctly, your program will see it as just
that, data, regardless of the content.  If certain input would break
your system, it is the system which should be changed, not the data.

Dan