PHP - security etc

[Andy Armstrong]

On 7 Mar 2007, at 17:20, Dominic Mitchell wrote:
> You're creating a damned web page.  You need to escape pretty much
> everything.

Apart from all the static content and any cases where you actually  
intend to generate markup.

>   Not escaping things should be the exception, rather than
> the other way around.

/me has flashback to trying to push literal HTML past Lotus Domino's  
"escape everything" policy.

The output you're generating is HTML. You're transforming whatever  
information you have into an HTML representation of that content. It  
doesn't seem particularly daring of PHP to reflect that state of  
affairs. Automatic entity encoding would be reminiscent of the  
automatic SQL escaping misfeature.

> Otherwise it gets forgotten and guess what?  Lots
> of XSS attacks.

But isn't SQL escaping version of that problem exactly what the PHP  
folks tried to address with magic quotes? "Nobody remembers to SQL  
escape their data so we'll just do it for them".

-- 
Andy Armstrong, hexten.net