In PHP, I know that using parameterized queries is the best way to prevent SQL injection.

But what about sanitizing user input that will be used for other purposes, such as:

  • Displaying back to a user (potential cross-site scripting vector)
  • Addressing an email or filling in the message body

Is htmlentities() the best way to sanitize for non-database usage? What is considered to be best practice here?

Accepted Answer

In php the best xss filter is:

htmlspecialchars($_POST['param'],ENT_QUOTES);

The reason why you also have to encode quotes is becuase you don't need <> to exploit some xss. for instance this is vulnerable to xss:

print('<A HREF="http://www.xssed.com/'.htmlspecialchars($_REQUEST[xss]).'">link</a>');

You don't need <> to execute javascript in this case because you can use onmouseover, here is an example attack:

$_REQUEST[xss]='" onMouseOver="alert(/xss/)"';

the ENT_QUOTES takes care of the double quotes.

E-mail is a bit different, javascript shouldn't be executed by the mail client, and if it is then your site isn't affected due to the Same Origin Policy. But to be on the safe side I would still use htmlspecialchars($var,ENT_QUOTES);. HOWEVER, PHP's mail() function can succumb to a different type of vulnerability, its called CRLF injection. Here is an example vulnerability against PHP-Nuke. If you have a function call like this: mail($fmail, $subject, $message, $header); Then you must make sure that a user cannot inject \r\n into $header.

Vulnerable code:

$header="From: \"$_GET[name]\" <$ymail>\nX-Mailer: PHP";

patched:

$_GET[name]=str_replace(array("\r","\n"),$_GET[name]);
$header="From: \"$_GET[name]\" <$ymail>\nX-Mailer: PHP";
Written by Rook
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki