am i right?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
claws
Forum Commoner
Posts: 73
Joined: Tue Jun 19, 2007 10:54 am

am i right?

Post by claws »

I'm "Great"
lets say the above one is the string which is to be stored in a variable.
then to store it in a variable the 2 ways are

Code: Select all

$str1 = "I'm \"Great\"";

Code: Select all

$str2 = 'I\'m "Great"';
in either case. i have to escape the string to store it into a variable (except Heredoc )

submitting the form is nothing more than assigning some strings to POST or GET variables.
but this assigning is done by PHP automatically.

any way for it to assign the 2 ways it has are

just escape all quotes
or
use Heredoc.

1. if magic_quotes_gpc directive is ON. it uses escaping method. otherwise heredoc method. am i right?


from php manual:
magic_quotes_gpc
Warning

This feature is DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.


2. why is it "trusting on magic_quotes is highly discouraged."???

I am using and RICH TEXT EDITOR(which has direct option for them to enter HTML also). in my website.
i dont want them to use tags like input,object,script,embed,iframe,applet.

now how can i avoid XSS.

i. i can't use htmlentities() or htmlspecialchars() or striptags()
ii. I have to use regular expression to delete the these tags along with the content. any suggestions from security point of view?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

1. if magic_quotes_gpc directive is ON. it uses escaping method. otherwise heredoc method. am i right?
You're not. You need to escape data for variables only when it's written directly in the source code. Otherwise (data from files, get, post, database, etc) you need not. You still need to escape the data that goes to database, but that's another topic.
2. why is it "trusting on magic_quotes is highly discouraged."???
Because it's unreliable and can be turned on or off by system administrator. Besides, it escapes data with addslashes, which is inappropriate for some databases (yes, mysql included) and it does not take into account multibyte character sets (it does not know anything about character sets at all). So either you write code that have appropriate checks for magic_quotes status everywhere (which is a mess) and abandon the idea of creating internationalized applications, or you write the code that is able to work only in some particular setup. In practice, most programmers chosen to 'undo' magic quotes if it's turned on, so there's no point in keeping it at all.
I am using and RICH TEXT EDITOR [...] now how can i avoid XSS.
use HTMLPurifier
Post Reply