scootstah Posted February 4, 2015 Share Posted February 4, 2015 Pretty much any time you're outputting dynamic content, it needs to be escaped first. Whether that content comes from your database, an XML feed, an external API, whatever... it needs to be escaped. If you let a user input data into your database, then you need to be escaping it when you display it back onto your website somewhere. If not, then the user could type HTML or Javascript and thus you have an XSS vulnerability. Right now, you're escaping before it gets to your database. Typically this isn't the way to go. It's better to escape as close to output as possible, as that way you are sure that all content, no matter its origin, is safe to display. Quote Link to comment https://forums.phpfreaks.com/topic/294307-password-reset-being-bypassed-why/page/2/#findComment-1504790 Share on other sites More sharing options...
moose-en-a-gant Posted February 4, 2015 Author Share Posted February 4, 2015 It's better to escape as close to output as possible, as that way you are sure that all content, no matter its origin, is safe to display. I'd like to implement that from here on out. Just as a refresher, to do that what would I do? Query the database for the information, pass it through the escape function and then output that? Is that enough or ? XSS is a real acronym? cross-site scripting, hmm nice Quote Link to comment https://forums.phpfreaks.com/topic/294307-password-reset-being-bypassed-why/page/2/#findComment-1504795 Share on other sites More sharing options...
scootstah Posted February 4, 2015 Share Posted February 4, 2015 I'd like to implement that from here on out. Just as a refresher, to do that what would I do? Query the database for the information, pass it through the escape function and then output that? Is that enough or ? XSS is a real acronym? cross-site scripting, hmm nice Yes, if you run your output variables through htmlspecialchars() first you'll be safe. You could also use a templating library such as Twig, which automatically sanitizes output data. XSS stands for cross-site scripting, yes. Cross-site scripting is when a user is able to inject client-side code into your page. Quote Link to comment https://forums.phpfreaks.com/topic/294307-password-reset-being-bypassed-why/page/2/#findComment-1504800 Share on other sites More sharing options...
moose-en-a-gant Posted February 4, 2015 Author Share Posted February 4, 2015 (edited) Alright. Well thank you very much for your help. And the further explanation. Edited February 4, 2015 by moose-en-a-gant Quote Link to comment https://forums.phpfreaks.com/topic/294307-password-reset-being-bypassed-why/page/2/#findComment-1504803 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.