PHP - security etc
andy at hexten.net
Wed Mar 7 18:06:02 GMT 2007
On 7 Mar 2007, at 17:20, Dominic Mitchell wrote:
> You're creating a damned web page. You need to escape pretty much
Apart from all the static content and any cases where you actually
intend to generate markup.
> Not escaping things should be the exception, rather than
> the other way around.
/me has flashback to trying to push literal HTML past Lotus Domino's
"escape everything" policy.
The output you're generating is HTML. You're transforming whatever
information you have into an HTML representation of that content. It
doesn't seem particularly daring of PHP to reflect that state of
affairs. Automatic entity encoding would be reminiscent of the
automatic SQL escaping misfeature.
> Otherwise it gets forgotten and guess what? Lots
> of XSS attacks.
But isn't SQL escaping version of that problem exactly what the PHP
folks tried to address with magic quotes? "Nobody remembers to SQL
escape their data so we'll just do it for them".
Andy Armstrong, hexten.net
More information about the london.pm