PHP - security etc

Aaron Crane perl at
Wed Mar 7 19:47:30 GMT 2007

Andy Armstrong writes:
> On 7 Mar 2007, at 17:20, Dominic Mitchell wrote:
> >Not escaping things should be the exception, rather than the other
> >way around.  Otherwise it gets forgotten and guess what?  Lots of XSS
> >attacks.
> But isn't SQL escaping version of that problem exactly what the PHP
> folks tried to address with magic quotes? "Nobody remembers to SQL
> escape their data so we'll just do it for them".

There are significant differences between the two situations:

  - Magic-quote munging, if enabled in the server, is applied before
    your own code gets to run
  - Magic-quote munging can't easily be selectively disabled for
    specific pieces of data to which it shouldn't apply
  - Magic-quote munging purports to be useful when putting data into
    database queries, but it makes unwarranted and unchangeable
    assumptions about the syntax used by your DBMS

But it's easy to imagine an HTML-oriented templating system which
would default to HTML escaping, but would let individual templates disable the
escaping for individual variables or globally, or would let a template
choose a different default escaping.  Using a TT-style syntax as a trial

  [% DEFAULT_FILTER html %]

  <p>Hello, [% name %].</p>[%# Implicitly HTML-escaped %]

  <a href="/?a=[% a |url %]">whatever</a>[%# Explicitly URL-escaped %]

  [% sanitised_html |NONE %][%# Explicitly not escaped at all %]

The existence of that (even if 'html' were a _default_ default filter)
wouldn't prevent someone setting the default filter to CSV, or JSON, or
PostScript, or whatever's needed in any particular application.

Aaron Crane

More information about the mailing list