Security Resources

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Security Resources

Post by Mordred »

Christopher wrote:For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?
Oh yes, for <5.4.0 surely. Did you know about this?

You should use a wrapper function anyway, who wants to type so much code every time? Inside, something like:

Code: Select all

function HtmlEscape($s) {
mb_substitute_character("none");
$s = mb_convert_encoding($s, 'UTF-8', 'UTF-8');
return htmlspecialchars($s, ENT_QUOTES, 'UTF=8');
}
User avatar
Christopher
Site Administrator
Posts: 13592
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Security Resources

Post by Christopher »

Mordred wrote:
Christopher wrote:For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?
Oh yes, for <5.4.0 surely. Did you know about this?
Excellent information!

Can you explain what is going on in these two lines?

Code: Select all

mb_substitute_character("none");
$s = mb_convert_encoding($s, 'UTF-8', 'UTF-8');
(#10850)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Security Resources

Post by Mordred »

"Convert the string from utf-8 to utf-8 making sure you remove any character sequences that are not valid for utf-8"
I must add that this must be accompanied by strict enforcement of utf-8 encoding to the client to avoid legitimate clients sending you their weird Elbonian encoding and getting their data mangled. This is not related to security, just to the proper functioning of the site. An attacker will not send you well-formed utf-8 because he's a nice guy, that's why you don't trust him to, and that's why you force clean his input.
User avatar
ragax
Forum Commoner
Posts: 85
Joined: Thu Dec 15, 2011 1:40 pm
Location: Nelson, NZ

Re: Security Resources

Post by ragax »

Chris Shiflett's Security Workbook
Excellent PDF covering security in PHP.
Is anyone aware of another good book on the topic? Yes Chris's book is excellent, but I've been wondering if there have been new developments since it came out in 2005, and I've been feeling hungry for more as I get back in the saddle to tackle new projects.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: Security Resources

Post by Maugrim_The_Reaper »

User avatar
munkitkat
Forum Newbie
Posts: 6
Joined: Thu Mar 10, 2016 6:22 am

Re: Security Resources

Post by munkitkat »

This is an excellent source for PHP security. I'm impressed.
Post Reply