Page 7 of 7

Re: oop question

Posted: Fri Jun 26, 2009 2:49 pm
by Christopher
It's not if, if, if -- you should always do both. Neither is perfect so Defense in Depth is necessary.

Re: oop question

Posted: Fri Jun 26, 2009 3:16 pm
by kaisellgren
arborint wrote:It's not if, if, if -- you should always do both. Neither is perfect so Defense in Depth is necessary.
You encode both the input and the output data? I think you are trying to say something else :P

Let's say we are outputting in between a DIV tag and the document is encoded as UTF-8.

Code: Select all

// Input encoding
$data = htmlspecialchars($_GET['data'],ENT_QUOTES,'UTF-8');
$db->saveToDb($data);
 
// later in the script, we do output encoding
$data = htmlspecialchars($db->fetchData(),ENT_QUOTES,'UTF-8');
echo $data;
I'm not sure if I follow the idea of having them both, but this means that if a user supplies

Code: Select all

script.php?data=<script>
then it appears as

Code: Select all

&lt;script&gt;
in the output later... sure it's secure, but I don't honestly see the point of double encoding the data as it basically corrupts it...

I made a quick picture:
Image
That's in the perspective of a PHP application. The Input Encoding arrow may be a bit confusing... it doesn't mean the client encoded it. :P

There is I/O escaping, but I can't simply imagine any clever reason to have input escaping, so, I only typed Escaping there. If someone comes up with a good reason to use Input Escaping, great.

EDIT: An example of Input Escaping:
Client sends:

Code: Select all

name: O'Reilly
to PHP, which then saves a file "something.sql" with content

Code: Select all

SELECT email FROM users WHERE name='O\ 'Reilly' // ignore the stupid space..
and now three hours later another execution of a PHP script loads the contents of "something.sql" and runs it against the database without escaping (because it was already escaped and escaping again would corrupt it). This is pointless and insecure. So, I didn't include this in the picture.

Re: oop question

Posted: Fri Jun 26, 2009 3:49 pm
by Jenk
In reply to kaisellgren's reply.. no, that's not what I meant.

If the client has/wants a WYSIWYG editor, and wants it for use in, for example, a CMS then I will only escape for the DB. They will want their HTML to render as HTML after all.

If they do not want HTML allowed, then I shall ask if they want it stripped or encoded (special chars).

Re: oop question

Posted: Fri Jun 26, 2009 3:51 pm
by kaisellgren
Jenk wrote:In reply to kaisellgren's reply.. no, that's not what I meant.

If the client has/wants a WYSIWYG editor, and wants it for use in, for example, a CMS then I will only escape for the DB. They will want their HTML to render as HTML after all.

If they do not want HTML allowed, then I shall ask if they want it stripped or encoded (special chars).
Ah, ok. That makes sense. Just make sure a random person won't be able to put HTML without filtering :)