views:

62

answers:

3

I came across an approach to encode just the following 4 characters in the POST parameter's value: # ; & +. What problems can it cause, if any?

Personally I dislike such hacks. The reason why I'm asking about this one is that I have an argument with its inventor.

Update. To clarify, this question is about encoding parameters in the POST body and not about escaping POST parameters on the server side, e. g. before feeding them into shell, database, HTML page or whatever.

A: 

Escaping metacharacters is usually (always?) done to prevent injection attacks. Different systems have different metacharacters, so each needs its own way of preventing injections. Different systems have different ways of escaping characters. Some systems don't need to escape characters, since they have different channels for control and data (e.g. prepared statements). Additionally, the filtering is usually best performed when the data is introduced to a system.

The biggest problem is that escaping only those four characters won't provide complete protection. SQL, HTML and shell injection attacks are still possible after filtering the four characters you mention.

outis
IMHO URL encoding cannot provide any protection against SQL, HTML or shell injection attacks. If I'm wrong, please instantiate your assertion. AFAIK escaping metacharacters in URL or POST body has the only one purpose, i. e. to make correct CGI request.
codeholic
Which assertion? I'm not asserting that a certain approach will work, merely that the approach you describe won't work. As far as I can tell, we're in agreement.
outis
If URL encoding cannot protect against injections in principle, then your assertion, that incorrect URL encoding doesn't protect against injections, is irrelevant. Various injections is just a different topic.
codeholic
outis
We don't disagree. What you say is rational. I just don't understand, how your answer is relevant to my question.
codeholic
A: 

Consider this: $sql ='DELETE * fromarticlesWHEREid='.$_POST['id'].';
And you enter in the form: 1' OR '10
It then Becomes this : $sql ='DELETE * fromarticlesWHEREid='1' OR '10';

DCC
This is the problem of your PHP code and not the problem of URL encoding under question.
codeholic
"What problems can it cause, if any?"This is one example of a problem when not escaping properly, the man asked for arguments I think this falls under that category, don't you?
DCC
+1  A: 

From rfc1738 (if you're using application/x-www-form-urlencoded encoding to transfer data):

Unsafe:

Characters can be unsafe for a number of reasons. The space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs. The characters "<" and ">" are unsafe because they are used as the delimiters around URLs in free text; the quote mark (""") is used to delimit URLs in some systems. The character "#" is unsafe and should always be encoded because it is used in World Wide Web and in other systems to delimit a URL from a fragment/anchor identifier that might follow it. The character "%" is unsafe because it is used for encodings of other characters. Other characters are unsafe because gateways and other transport agents are known to sometimes modify such characters. These characters are "{", "}", "|", "\", "^", "~", "[", "]", and "`".

All unsafe characters must always be encoded within a URL. For example, the character "#" must be encoded within URLs even in systems that do not normally deal with fragment or anchor identifiers, so that if the URL is copied into another system that does use them, it will not be necessary to change the URL encoding.

Ivan Nevostruev
That's it! He didn't encode %! Eat that! Never ever reinvent the bicycle (if you're not an expert) :)
codeholic