In PHP, I know that using parameterized queries is the best way to prevent SQL injection.
But what about sanitizing user input that will be used for other purposes, such as:
- Displaying back to a user (potential cross-site scripting vector)
- Addressing an email or filling in the message body
htmlentities() the best way to sanitize for non-database usage? What is considered to be best practice here?
In php the best xss filter is:
The reason why you also have to encode quotes is becuase you don't need <> to exploit some xss. for instance this is vulnerable to xss:
the ENT_QUOTES takes care of the double quotes.
htmlspecialchars($var,ENT_QUOTES);. HOWEVER, PHP's mail() function can succumb to a different type of vulnerability, its called CRLF injection. Here is an example vulnerability against PHP-Nuke. If you have a function call like this:
mail($fmail, $subject, $message, $header); Then you must make sure that a user cannot inject
\r\n into $header.
$header="From: \"$_GET[name]\" <$ymail>\nX-Mailer: PHP";
$_GET[name]=str_replace(array("\r","\n"),$_GET[name]); $header="From: \"$_GET[name]\" <$ymail>\nX-Mailer: PHP";
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki