PHP - security etc
Aaron Crane
perl at aaroncrane.co.uk
Wed Mar 7 19:47:30 GMT 2007
Andy Armstrong writes:
> On 7 Mar 2007, at 17:20, Dominic Mitchell wrote:
> >Not escaping things should be the exception, rather than the other
> >way around. Otherwise it gets forgotten and guess what? Lots of XSS
> >attacks.
>
> But isn't SQL escaping version of that problem exactly what the PHP
> folks tried to address with magic quotes? "Nobody remembers to SQL
> escape their data so we'll just do it for them".
There are significant differences between the two situations:
- Magic-quote munging, if enabled in the server, is applied before
your own code gets to run
- Magic-quote munging can't easily be selectively disabled for
specific pieces of data to which it shouldn't apply
- Magic-quote munging purports to be useful when putting data into
database queries, but it makes unwarranted and unchangeable
assumptions about the syntax used by your DBMS
But it's easy to imagine an HTML-oriented templating system which
would default to HTML escaping, but would let individual templates disable the
escaping for individual variables or globally, or would let a template
choose a different default escaping. Using a TT-style syntax as a trial
balloon:
[% DEFAULT_FILTER html %]
<p>Hello, [% name %].</p>[%# Implicitly HTML-escaped %]
<a href="/?a=[% a |url %]">whatever</a>[%# Explicitly URL-escaped %]
[% sanitised_html |NONE %][%# Explicitly not escaped at all %]
The existence of that (even if 'html' were a _default_ default filter)
wouldn't prevent someone setting the default filter to CSV, or JSON, or
PostScript, or whatever's needed in any particular application.
--
Aaron Crane
More information about the london.pm
mailing list