oop question

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: oop question

Post by Christopher »

It's not if, if, if -- you should always do both. Neither is perfect so Defense in Depth is necessary.
(#10850)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: oop question

Post by kaisellgren »

arborint wrote:It's not if, if, if -- you should always do both. Neither is perfect so Defense in Depth is necessary.
You encode both the input and the output data? I think you are trying to say something else :P

Let's say we are outputting in between a DIV tag and the document is encoded as UTF-8.

Code: Select all

// Input encoding
$data = htmlspecialchars($_GET['data'],ENT_QUOTES,'UTF-8');
$db->saveToDb($data);
 
// later in the script, we do output encoding
$data = htmlspecialchars($db->fetchData(),ENT_QUOTES,'UTF-8');
echo $data;
I'm not sure if I follow the idea of having them both, but this means that if a user supplies

Code: Select all

script.php?data=<script>
then it appears as

Code: Select all

&lt;script&gt;
in the output later... sure it's secure, but I don't honestly see the point of double encoding the data as it basically corrupts it...

I made a quick picture:
Image
That's in the perspective of a PHP application. The Input Encoding arrow may be a bit confusing... it doesn't mean the client encoded it. :P

There is I/O escaping, but I can't simply imagine any clever reason to have input escaping, so, I only typed Escaping there. If someone comes up with a good reason to use Input Escaping, great.

EDIT: An example of Input Escaping:
Client sends:

Code: Select all

name: O'Reilly
to PHP, which then saves a file "something.sql" with content

Code: Select all

SELECT email FROM users WHERE name='O\ 'Reilly' // ignore the stupid space..
and now three hours later another execution of a PHP script loads the contents of "something.sql" and runs it against the database without escaping (because it was already escaped and escaping again would corrupt it). This is pointless and insecure. So, I didn't include this in the picture.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Re: oop question

Post by Jenk »

In reply to kaisellgren's reply.. no, that's not what I meant.

If the client has/wants a WYSIWYG editor, and wants it for use in, for example, a CMS then I will only escape for the DB. They will want their HTML to render as HTML after all.

If they do not want HTML allowed, then I shall ask if they want it stripped or encoded (special chars).
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: oop question

Post by kaisellgren »

Jenk wrote:In reply to kaisellgren's reply.. no, that's not what I meant.

If the client has/wants a WYSIWYG editor, and wants it for use in, for example, a CMS then I will only escape for the DB. They will want their HTML to render as HTML after all.

If they do not want HTML allowed, then I shall ask if they want it stripped or encoded (special chars).
Ah, ok. That makes sense. Just make sure a random person won't be able to put HTML without filtering :)
Post Reply