stijn0713 Posted August 30, 2012 Share Posted August 30, 2012 I'm reading a little bit on escaping input and output. At a first glance it seems to me that if im just taking care that all input from form inputs are safe, i will never risk a xss attack. So output handling is sort of superfluous then? Does that statement make sense? If not, how could attackers insert bad html otherwise in online applications? Link to comment https://forums.phpfreaks.com/topic/267833-input-versus-output-escaping/ Share on other sites More sharing options...
requinix Posted August 30, 2012 Share Posted August 30, 2012 Both input and output escaping are about making sure that the data doesn't conflict with surrounding syntax or markup: - SQL injection is when input data mixes with query syntax - XSS is when output data mixes with HTML markup - (Email) header injection is when data mixes with email headers In between input and output (after you've cleaned up the input and before you've outputted it) the data should be exactly what was provided. You should not be escaping stuff until the moment you need to. Example: $name = $_POST["name"]; // O"Reilly $name = htmlentities(mysql_real_escape_string($name)); // O\&Reilly $email = $_POST["email"]; // [email protected] $email = htmlentities(mysql_real_escape_string($email)); // [email protected] mysql_query("INSERT INTO users (name) VALUES ('{$name}');"); // O&Reilly $message = "Thank you for registering on our site, {$name}!"; // Thank you for registering on our site, O\"Reilly! echo $message; // Thank you for registering on our site, O\&Reilly! mail($email, "Welcome to our site", $message); What you should be doing is something along the lines of $name = $_POST["name"]; // O"Reilly $email = $_POST["email"]; // [email protected] mysql_query("INSERT INTO users (name) VALUES ('" . mysql_real_escape_string($name) . "')"); // O"Reilly $message = "Thank you for registering on our site, %s!"; // Thank you for registering on our site, O"Reilly! printf($message, htmlentities($message)); // Thank you for registering on our site, O"Reilly! mail($email, "Welcome to our site", sprintf($message, $name)); Link to comment https://forums.phpfreaks.com/topic/267833-input-versus-output-escaping/#findComment-1374103 Share on other sites More sharing options...
stijn0713 Posted August 30, 2012 Author Share Posted August 30, 2012 Ah, i see the point of doing it the moment you need it! As for the sources of abuse, here it comes from the $_POST global, so it's user provided data through forms? Are there other sources which expose vulnerabilities? Except of course, if one can hack the filesystem or the server i guess. Link to comment https://forums.phpfreaks.com/topic/267833-input-versus-output-escaping/#findComment-1374108 Share on other sites More sharing options...
requinix Posted August 30, 2012 Share Posted August 30, 2012 Ah, i see the point of doing it the moment you need it! As for the sources of abuse, here it comes from the $_POST global, so it's user provided data through forms? Uh... Yes? Are there other sources which expose vulnerabilities? Except of course, if one can hack the filesystem or the server i guess. POST, GET, some stuff in SERVER, COOKIE, raw posted data, third-party API calls... To name a few. Basically anything you didn't generate yourself. Link to comment https://forums.phpfreaks.com/topic/267833-input-versus-output-escaping/#findComment-1374126 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.