tags:

views:

34

answers:

3
+2  Q: 

Does using the converting input from HTML forms into htmlentities protect attacks invoving JavaScript insertion?

Hi everyone,

I was wondering if converting POST input from an HTML form into html entities, (via the PHP function htmlentities() or using the FILTER_SANITIZE_SPECIAL_CHARS constant in tandem with the filter_input() PHP function ), will help defend against any attacks where a user attempts to insert any JavaScript code inside the form field or if there's any other PHP based function or tactic I should employ to create a safe HTML form experience?

Sorry for the loaded run-on sentence question but that's the best I could word it in a hurry.

Any responses would be greatly appreciated and thanks to all in advance.

racl101

+2  A: 

It would turn the following:

<script>alert("Muhahaha");</script>

into

&lt;script&gt;alert("Muhahaha");&lt;/script&gt;

So if you're printing out this data into HTML later, you would be protected. It wouldn't protect you from:

"; alert("Muhahaha");

just in case you were echoing into a script like so:

var t = "Hello there <?php echo $str;?>";

For this purpose, you should use addslashes() and a database string escaping method like mysql_real_escape_string().

Andy E  2010-04-13 23:07:00
Thanks for your examples. They were very helpful.
 2010-04-21 20:41:24
A: 

yes, that is one way to sanitise. it has the benefit that you can always display the database contents without fear of xss attacks. however, a 'purer' approach is to store the raw data in the database and sanitise in the view - so every time you want to show the text, use htmlentities() on it.

however, your approach does not take into account sql injection attacks. you might want to look at http://php.net/manual/en/function.mysql-real-escape-string.php to guard against that.

oedo  2010-04-13 23:09:18
A: 

Yes, do this when you want to display data to a webpage, but I recommend you don't store the HTML in the database as encoded, this may seem fine for large text fields, but when you have shorter titles, say a 32 character, a normal 30 character string that contains an & would become & and this would either cause a SQL error or the data to be cut off.

So the rule of thumb is, store everything row (obviously prevent SQL injection) and treat EVERYTHING as tainted, no matter where it comes from: the database, user forms, rss feeds, flat files, XML, etc. This is how you build good security without worrying about the data overflowing, or the fact you might oneday need to extract the data to a non web user where the HTML encoding is a problem.

TravisO  2010-04-14 00:43:23

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases