Jump to content

Safely Outputting Fields

doubledee

By doubledee
in PHP Coding Help

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

On my website, I have Sticky Forms that use the following style code...

<input id="firstName" name="firstName" type="text" maxlength="30"
		value="<?php if(isset($firstName)){echo htmlspecialchars($firstName, ENT_QUOTES);} ?>" /><!-- Sticky Field -->

 

 

Do I need to use htmlspecialchars($firstName, ENT_QUOTES); anytime I output data to the screen??

 

 

For example, in this code do I need to wrap $username??

echo '	<div class="userInfo">
			<a href="#" class="username">
				<strong>' . $username . '</strong>
			</a>';

 

 

Debbie

 

Link to comment
https://forums.phpfreaks.com/topic/257910-safely-outputting-fields/
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

That would completely depend on what $username contains and what context your displaying it in.

 

The context is having User Details along side any Comments a User posts on my site.  (Just like how it works on PHPFreaks.)

 

<username>

<user's picture>

<user's location>

<# of posts>

 

<user's comments>

 

Does that help?

 

 

Debbie

 

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

If the original source of the data is untrusted (ie, was typed in by a user) then before outputting it in your HTML yes, you need to escape it using htmlentities or htmlspecialchars (either will work fine).

 

The items above would be output in my "article.php" script.

 

However that data was originally entered when the User registered, and in the "Create an Account" form I have this code...

<!-- Username -->
<label for="username"><b>*</b>Username:<span class="fieldRequirements">(Must be 8-30 characters.)</span></label>
<input id="username" name="username" type="text" maxlength="30"
	value="<?php if(isset($username)){echo htmlspecialchars($username, ENT_QUOTES);} ?>" /><!-- Sticky Field -->
<?php
	if (!empty($errors['username'])){
		echo '<span class="error">' . $errors['username'] . '</span>';
	}
?>

 

Shouldn't that "sanitize" the Username so it is safe when I output it in "article.php"??

 

 

Debbie

 

Psycho Prolific Member

Psycho

Posted
Posted

Yes. you sanitized username and entered it into the db, so it's already clean when outputting to your articles.php page.

Sanitizing input for the purpose of saving in the database does not make that content "safe" to display in a web page.

 

However that data was originally entered when the User registered, and in the "Create an Account" form I have this code...

<!-- Username -->
<label for="username"><b>*</b>Username:<span class="fieldRequirements">(Must be 8-30 characters.)</span></label>
<input id="username" name="username" type="text" maxlength="30"
	value="<?php if(isset($username)){echo htmlspecialchars($username, ENT_QUOTES);} ?>" /><!-- Sticky Field -->
<?php
	if (!empty($errors['username'])){
		echo '<span class="error">' . $errors['username'] . '</span>';
	}
?>

 

Shouldn't that "sanitize" the Username so it is safe when I output it in "article.php"??

 

That code is only escaping the content for the purposes of the "stikiness" of your form. That has no bearing on how you might use the saved value in other places (as you proposed above).

 

As kicken already stated, (you know, I use the phrase "as already stated" a LOT with you) if the data came from the user you need to treat it as "untrusted" and always escape it based upon the method you are using it. This include in DB queries, HTML output, etc. Even if you were outputting content to a CSV file you need to properly escape it so that a rogue comma in the data doesn't corrupt the file.

 

I'll also add that even if you are, currently, restricting usernames to certain characters that wouldn't cause a problem being output to HTML, it is still a good practice to escape it anyway. If you were to decide later that you were too restrictive in your rules for usernames you wouldn't want to hunt through your code to find all the places that it is used in output.

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

That code is only escaping the content for the purposes of the "stikiness" of your form. That has no bearing on how you might use the saved value in other places (as you proposed above).

 

Yeah, that dawned on me last night...  :-[

 

 

As kicken already stated, (you know, I use the phrase "as already stated" a LOT with you)

 

That is why YOU are a "guru" and I am not!!!

 

Being a newbie means that everything you teach me doesn't always stick the first time...

 

 

if the data came from the user you need to treat it as "untrusted" and always escape it based upon the method you are using it. This include in DB queries, HTML output, etc. Even if you were outputting content to a CSV file you need to properly escape it so that a rogue comma in the data doesn't corrupt the file.

 

I'll also add that even if you are, currently, restricting usernames to certain characters that wouldn't cause a problem being output to HTML, it is still a good practice to escape it anyway. If you were to decide later that you were too restrictive in your rules for usernames you wouldn't want to hunt through your code to find all the places that it is used in output.

 

So do you have an approach to sanitizing data for output?

 

Maybe run everything through a sanitizeMe() function before you display things, or do you just hard-code on an as-needed basis?!

 

 

Debbie

 

Psycho Prolific Member

Psycho

Posted
Posted

As kicken already stated, (you know, I use the phrase "as already stated" a LOT with you)

 

That is why YOU are a "guru" and I am not!!!

 

Being a newbie means that everything you teach me doesn't always stick the first time...

Having a fancy image next to my name does not impart special comprehension skills. And, that's what this is - taking the time to comprehend what was provided. kicken's response was short, concise and was written in plain English not "code speak" that a "newbie" might get confused by.

 

So do you have an approach to sanitizing data for output?

 

Maybe run everything through a sanitizeMe() function before you display things, or do you just hard-code on an as-needed basis?!

 

Why should I respond to that when, again, kicken has already answered it.

If the original source of the data is untrusted (ie, was typed in by a user) then before outputting it in your HTML yes, you need to escape it using htmlentities or htmlspecialchars (either will work fine).

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.