escaping output

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

escaping output

Post by ibolui »

hi, i just read that for security purposes, i should escaped my $output before echoing the values. and the method is to use htmlentities.

however if the $output is a html text, for example, $output = "A 'quote' is <b>bold</b>";
and i wish to retain the <b> instead of becoming <b>
what should i do?

if i am to echo ANY unescaped output to a flash app frontend, will there be security issues ???
User avatar
andyhoneycutt
Forum Contributor
Posts: 468
Joined: Wed Aug 27, 2008 10:02 am
Location: Idaho Falls

Re: escaping output

Post by andyhoneycutt »

Typically, I think, you'll want to secure data that will be used from input, not output. As far as making sure things are good on the flash-app when it receives data, you'll want to run security measures on that end, not necessarily relying on the output method to secure your data.

-Andy
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: escaping output

Post by Mordred »

You should escape only values, not constants + values:

Code: Select all

$bold = htmlspecialchars($bold, ENT_QUOTES, 'utf8');
$output = "blah <b> $bold</b>";
echo $output;
instead of something like

Code: Select all

 
$output = "blah <b> $bold</b>";
echo htmlspecialchars($output, ENT_QUOTES, 'utf8');
 
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

Re: escaping output

Post by ibolui »

but from a user input of a huge chunk of text, how do i differentiate between constants and values??
Cut
Forum Commoner
Posts: 39
Joined: Sat Aug 23, 2008 8:01 pm

Re: escaping output

Post by Cut »

Use htmLawed to escape only certain tags: http://www.bioinformatics.org/phplabwar ... /index.php

Read the documentation fully.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: escaping output

Post by Mordred »

@ibolui: You know what "values" are, because you, the programmer, put them there!
See my previous example - $bold is a "value"
Post Reply