On Wed, May 18, 2011 at 9:18 PM, Jason Pruim <li...@pruimphotography.com>wrote:

> Hey Everyone,
> Probably a simple question but I wanted to make sure I was right before I
> got to far ahead of my self....
> I have a form that I am working on and this form will be emailed to the
> recipient for processing (Not stored in a database).
> When I store in a database, I simply run all the data through
> mysql_real_escape_string() and it's all good...  Without the database, is it
> just as easy as addslashes($var)? or is there more that needs to be done?
> In the end, the info will be echoed back out to the user to be viewed but
> not edited and emailed to someone to add the registration collect money, etc
> etc.
> Am I on the right track or do I need to rethink my whole process? :)

Security depends on keeping a keen eye on context. You want to always be
sure that your PHP scripts appropriately validate input according to the
context (what cultures or languages are you expecting, what character
encodings, etc.), and you want to escape output according to context. There
are of course many other security issues developers have to watch for, but
these two areas are the source of many of the security issues in web apps,
and it sounds like you're looking for feedback specific to these two

In this case it sounds like you'll be outputting user data using HTML, so
the data should be properly escaped for HTML (also focused on context, as
the output can be within a tag, an attribute of a tag, or a url of a tag,
and each situation requires specific escaping.)

Additionally, it sounds like you'll be using the user data in an email, so
you'll have to properly escape the output to avoid email injection.

To deal with the input validation and HTML escaping, I use my framework,
Nephtali, but many other frameworks help you achieve this (including
facebooks' XHP, which is quite clever according to context:
and the combination of PHP filters and functions like htmlspecialchars(),
urlencode, etc., greatly facilitate rolling your own library if you wish. To
prevent email injection, I use the Zend Framework Email classes, as they're
very powerful, easy to use, and protect against injection.

I'm a security expert by any means, as I've made mistakes in the past that
have provided education the hard way!

In fact, I'll confess that there was a point a few years ago that I'd sent
Rasmus Lerdorf a link to promote my framework (back when it was OOP-based
rather than the functionally inspired, which was a long time ago), and I
thought I'd make a few quick edits just to make it easy for him to view the
source and see how I was handling what I thought was a cool little parallel
processing idea (it really wasn't that cool, I was young and dumb, and the
implementation was slow.) In my haste to add the code, I actually worked
outside of the framework's natural encoding capabilities, and I forgot to
manually handle the validation and encoding (the feature was new enough that
I hadn't yet integrated into the natural flow of processing.)

Alas, because I noted the security focus of the framework, Rasmus ran some
security tests on my site (which performed slowly because of my stupid
parallel idea) and that code that I forgot to manually handle lead to the
reply below:

Given this claim and the fact that you are eating your own dogfood, as

you say, then it is probably a bad sign that you have an XSS on

framework site.

> The site is so slow it is hard to poke it for others, but there is an

obvious one in the <!--current_url=--> html comment.  You are not

escaping the url correctly there.

It's been said before, but let me say it with meaning: "NOW THAT'S

I tried to make a quick little edit, and even though I'd built a framework
that focused on proper validation and escaping, I still forgot to add the
validation and escaping code for one little snippet I told myself I'd get
back to later to manually handle.

*Moral:* Don't rush. Carefully deliberate on the context, both in terms of
the expectations for input AND the nature of output. If you do this, you
eventually will get the level of security you're after (that, and fuzz the
heck out of something before you send it to Rasmus :)


Nephtali:  A simple, flexible, fast, and security-focused PHP framework

Reply via email to