Re: [PHP] Re: XSS Preventing.
On Jun 23, 2009, at 10:29, Martin Zvarík wrote: Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly I, on the other hand, would do htmlentities() BEFORE insertion. Pros: --- The text is processed once and doesn't have to be htmlentitied() everytime you read the database - what a stupid waste of performance anyway. Isn't reading from the database every time a much bigger waste? Sounds like you might benefit from reading about Amdahl's law: http://en.wikipedia.org/wiki/Amdahl%27s_law Additionally, these slides from a talk by George Schlossnagle are good: http://schlossnagle.org/~george/talks/ZendPerf.pdf Amdahl's law aside, it does make sense in some cases (profiles for social apps, for example) to cache this information in a ready-to-be- displayed format, but no one should be talking about performance and reading from the database every time in the same sentence. Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: XSS Preventing.
On Fri, Jun 26, 2009 at 12:07 PM, Chris Shiflettshifl...@php.net wrote: On Jun 23, 2009, at 10:29, Martin Zvarík wrote: Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly I, on the other hand, would do htmlentities() BEFORE insertion. Pros: --- The text is processed once and doesn't have to be htmlentitied() everytime you read the database - what a stupid waste of performance anyway. Isn't reading from the database every time a much bigger waste? Sounds like you might benefit from reading about Amdahl's law: http://en.wikipedia.org/wiki/Amdahl%27s_law Additionally, these slides from a talk by George Schlossnagle are good: http://schlossnagle.org/~george/talks/ZendPerf.pdf Amdahl's law aside, it does make sense in some cases (profiles for social apps, for example) to cache this information in a ready-to-be-displayed format, but no one should be talking about performance and reading from the database every time in the same sentence. Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Fantastic PDF from the George Schlossnagle http://schlossnagle.org/~george/talks/ZendPerf.pdf Thanks -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: XSS Preventing.
Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly I, on the other hand, would do htmlentities() BEFORE insertion. Pros: --- The text is processed once and doesn't have to be htmlentitied() everytime you read the database - what a stupid waste of performance anyway. Cons: --- Instead you'll see amp; ... is that a problem? Not for me and I believe 80% of others who use DB to store view on web. Martin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: XSS Preventing.
I have read somethings about these issues. And i understand that If you use htmlentities() BEFORE insertion, when querying DB from XML, PDF or other data format, there will be some problems. I have some PHP books, the author codding like Martin Zvarík's way. If you have any pros and cons please share us. Thanks. 2009/6/23 Martin Zvarík mzva...@gmail.com Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly I, on the other hand, would do htmlentities() BEFORE insertion. Pros: --- The text is processed once and doesn't have to be htmlentitied() everytime you read the database - what a stupid waste of performance anyway. Cons: --- Instead you'll see amp; ... is that a problem? Not for me and I believe 80% of others who use DB to store view on web. Martin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: XSS Preventing.
If you use htmlentities after each query you can found problems like this: My name is Martamp;iacute;n. Also the data is stored for be used in a html environment. what happen if you need the data for other purposes? On Tue, Jun 23, 2009 at 11:42 AM, Caner Bulut caner...@gmail.com wrote: I have read somethings about these issues. And i understand that If you use htmlentities() BEFORE insertion, when querying DB from XML, PDF or other data format, there will be some problems. I have some PHP books, the author codding like Martin Zvarík's way. If you have any pros and cons please share us. Thanks. 2009/6/23 Martin Zvarík mzva...@gmail.com Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly I, on the other hand, would do htmlentities() BEFORE insertion. Pros: --- The text is processed once and doesn't have to be htmlentitied() everytime you read the database - what a stupid waste of performance anyway. Cons: --- Instead you'll see amp; ... is that a problem? Not for me and I believe 80% of others who use DB to store view on web. Martin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Martin Scotta
Re: [PHP] Re: XSS Preventing.
On Tue, Jun 23, 2009 at 10:29 AM, Martin Zvaríkmzva...@gmail.com wrote: Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly I, on the other hand, would do htmlentities() BEFORE insertion. Pros: --- The text is processed once and doesn't have to be htmlentitied() everytime you read the database - what a stupid waste of performance anyway. Cons: --- Instead you'll see amp; ... is that a problem? Not for me and I believe 80% of others who use DB to store view on web. Martin Different strokes for different folks. The performance hit isn't that great, and now you're potentially storing more data since individual characters (generally 1 or 2 bytes) are inflated to entities that are often around 6-8 bytes. Additional Cons: If the content ever needed to be formatted for something other than html (either now or in the future) you'd have to remove the entities every time you read the database. So now you have a stupid wast of performance again AND you're still storing the extra bytes in the database. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: XSS Preventing.
Cons: 1. Can't easily edit information in the database 2. Can't display raw for the user (e.g. edit a forum post) 3. Uses more space in the DB 4. Isn't as easily indexed 5. Breaks il8n support of internal search engines (sphinx, lucene, etc.) You're NEVER supposed to santize before inserting in the DB. Ever. Regarding the performance boost, if your application is written so well that calling htmlentities() is hurting the performance, I bow to you as writing the highest performing PHP I've ever seen. I would bet money that validation and sanitization, even if overdone, wouldn't take more than 2 or 3 percent of execution time. Do NOT do this, OP, it's terrible practice. On Tue, Jun 23, 2009 at 10:29 AM, Martin Zvaríkmzva...@gmail.com wrote: Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly I, on the other hand, would do htmlentities() BEFORE insertion. Pros: --- The text is processed once and doesn't have to be htmlentitied() everytime you read the database - what a stupid waste of performance anyway. Cons: --- Instead you'll see amp; ... is that a problem? Not for me and I believe 80% of others who use DB to store view on web. Martin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: XSS Preventing.
Cons: 1. Can't easily edit information in the database True, so if you use phpmyadmin for editing - don't do what I suggested. 2. Can't display raw for the user (e.g. edit a forum post) Edit a forum? You display the data in TEXTAREA... 3. Uses more space in the DB True, although I use htmlspecialchars() which doesn't replace that many characters. 4. Isn't as easily indexed 5. Breaks il8n support of internal search engines (sphinx, lucene, etc.) Thanks for reply, I will still do it before the DB insert. * Btw. I should have mentioned I don't use htmlentities(), but htmlspecialchars()* You're NEVER supposed to santize before inserting in the DB. Ever. Regarding the performance boost, if your application is written so well that calling htmlentities() is hurting the performance, I bow to you as writing the highest performing PHP I've ever seen. I would bet money that validation and sanitization, even if overdone, wouldn't take more than 2 or 3 percent of execution time. Do NOT do this, OP, it's terrible practice.
Re: [PHP] Re: XSS Preventing.
On Jun 23, 2009, at 9:29 AM, Martin Zvarík wrote: Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly I, on the other hand, would do htmlentities() BEFORE insertion. Pros: --- The text is processed once and doesn't have to be htmlentitied() everytime you read the database - what a stupid waste of performance anyway. Cons: --- Instead you'll see amp; ... is that a problem? Not for me and I believe 80% of others who use DB to store view on web. I had a problem with storing amp; into the database instead of just . When I wanted to search for something and amp; was in the value, typing would not find the result. I fixed that by not using htmlentities() before inputing data into the database. IMO, using htmlentities() or htmlspecialchars() before inserting into db is inherently wrong. Making calls to those functions should have negligible impact on the application - there are other ways to improve the performance of your application. My too scents, ~Philip Martin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: XSS Preventing.
Eddie Drapkin napsal(a): 2. Can't display raw for the user (e.g. edit a forum post) Edit a forum? You display the data in TEXTAREA... Because seeing something like: textareaquot;Yeah!quot; is what he said. /textarea Is awesome for the user experience. If you don't do html...() before putting to textarea this can happen: textarea blabla b/textarea blabla /textarea See? 3. Uses more space in the DB True, although I use htmlspecialchars() which doesn't replace that many characters. That makes it no better of a practice to pre-sanitize. You've still yet to offer any compelling reasons why you think this is a good idea. It's DEFINITELY easier to store RAW data to DB, because it won't give you any headaches in the future - when you might need to add some other functionality requiring this. But for me personally is doing - htmlspecialchars() - BEFORE the DB insertion the choice to go, because I am looking for performance. ok? respect
Re: [PHP] Re: XSS Preventing.
Philip Thompson napsal(a): On Jun 23, 2009, at 9:29 AM, Martin Zvarík wrote: Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly I, on the other hand, would do htmlentities() BEFORE insertion. Pros: --- The text is processed once and doesn't have to be htmlentitied() everytime you read the database - what a stupid waste of performance anyway. Cons: --- Instead you'll see amp; ... is that a problem? Not for me and I believe 80% of others who use DB to store view on web. I had a problem with storing amp; into the database instead of just . When I wanted to search for something and amp; was in the value, typing would not find the result. I fixed that by not using htmlentities() before inputing data into the database. IMO, using htmlentities() or htmlspecialchars() before inserting into db is inherently wrong. Making calls to those functions should have negligible impact on the application - there are other ways to improve the performance of your application. My too scents, ~Philip Martin You could do htmlentities() at the search string... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: XSS Preventing.
Caner BULUT wrote: Hi Guys, I have a question if you have any knowledge about this please let me know. I getting data from a form with POST method like following. $x = htmlentities($_POST['y']); . After getting all form daha I save them into DB, I used mysql_real_escape_string. I have an page which show the information that I have save into DB. But If I don't use html_entity_decode, there will encodding and charset problems. I can't set htmlentities charset parameters because this function does not have Turkish Charset support. The question is that, after saving data into DB with using htmlentities, in the information page if I use html_entity_decode function still there is an XSS risk or not? . html_entity_decode function get back all risk again? Please help. Thanks. Caner. Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: XSS Preventing.
Thanks for response. But if I use before display there is charset problems occurs. And htmlentities does not support Turkish Charset. How can I decode data after pass thought htmlentities. Thanks. -Original Message- From: Shawn McKenzie [mailto:nos...@mckenzies.net] Sent: 22 June 2009 23:27 To: php-general@lists.php.net Subject: [PHP] Re: XSS Preventing. Caner BULUT wrote: Hi Guys, I have a question if you have any knowledge about this please let me know. I getting data from a form with POST method like following. $x = htmlentities($_POST['y']); . After getting all form daha I save them into DB, I used mysql_real_escape_string. I have an page which show the information that I have save into DB. But If I don't use html_entity_decode, there will encodding and charset problems. I can't set htmlentities charset parameters because this function does not have Turkish Charset support. The question is that, after saving data into DB with using htmlentities, in the information page if I use html_entity_decode function still there is an XSS risk or not? . html_entity_decode function get back all risk again? Please help. Thanks. Caner. Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: XSS Preventing.
Caner BULUT wrote: Thanks for response. But if I use before display there is charset problems occurs. And htmlentities does not support Turkish Charset. How can I decode data after pass thought htmlentities. I have no idea, I was just saying that if you use it, use it for display and not for storage. If you only use it for display, then you don't need to decode it. Also, what do you mean it doesn't support the Turkish charset? Does it mangle some of the chars? You are using it so that you don't get markup script etc. in your output, so does it do something bad with the Turkish chars?. Maybe try htmlspecialchars() as it only converts a few specific chars. Thanks. -Original Message- From: Shawn McKenzie [mailto:nos...@mckenzies.net] Sent: 22 June 2009 23:27 To: php-general@lists.php.net Subject: [PHP] Re: XSS Preventing. Caner BULUT wrote: Hi Guys, I have a question if you have any knowledge about this please let me know. I getting data from a form with POST method like following. $x = htmlentities($_POST['y']); . After getting all form daha I save them into DB, I used mysql_real_escape_string. I have an page which show the information that I have save into DB. But If I don't use html_entity_decode, there will encodding and charset problems. I can't set htmlentities charset parameters because this function does not have Turkish Charset support. The question is that, after saving data into DB with using htmlentities, in the information page if I use html_entity_decode function still there is an XSS risk or not? . html_entity_decode function get back all risk again? Please help. Thanks. Caner. Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: XSS Preventing.
Shawm thanks, İf you using htmlentities awere that he change the charset to ISO-8859-1. So this is the a problem. For solving this there were some parameters. Htmlentities($str, ENT_QUOTES, 'UTF-8') But there is no Turkish Charset inside supportad Charset. You can see the detail info from http://tr.php.net/htmlentities After using htmlentities I am getting following Paramp;ccedil;anyacute;n amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; / takyacute;lacaeth;yacute; araamp;ccedil; modeli Paramp;ccedil;anyacute;n amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; / takyacute;lacaeth;yacute; araamp;ccedil; modeli Paramp;ccedil;anyacute;n amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; / takyacute;lacaeth;yacute; araamp;ccedil; modeli Paramp;ccedil;anyacute;n After using htmlspecialchars I am getting following Paramp;ccedil;anyacute;n amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; / takyacute;lacaeth;yacute; araamp;ccedil; modeli Paramp;ccedil;anyacute;n amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; / takyacute;lacaeth;yacute; araamp;ccedil; modeli Paramp;ccedil;anyacute;n amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; / takyacute;lacaeth;yacute; araamp;ccedil; modeli Paramp;ccedil;anyacute;n amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; / takyacute;lacaeth;yacute; araamp;ccedil; modeli I hope I can explain the problem. Thanks -Original Message- From: Shawn McKenzie [mailto:nos...@mckenzies.net] Sent: 23 June 2009 00:01 To: php-general@lists.php.net Subject: Re: [PHP] Re: XSS Preventing. Caner BULUT wrote: Thanks for response. But if I use before display there is charset problems occurs. And htmlentities does not support Turkish Charset. How can I decode data after pass thought htmlentities. I have no idea, I was just saying that if you use it, use it for display and not for storage. If you only use it for display, then you don't need to decode it. Also, what do you mean it doesn't support the Turkish charset? Does it mangle some of the chars? You are using it so that you don't get markup script etc. in your output, so does it do something bad with the Turkish chars?. Maybe try htmlspecialchars() as it only converts a few specific chars. Thanks. -Original Message- From: Shawn McKenzie [mailto:nos...@mckenzies.net] Sent: 22 June 2009 23:27 To: php-general@lists.php.net Subject: [PHP] Re: XSS Preventing. Caner BULUT wrote: Hi Guys, I have a question if you have any knowledge about this please let me know. I getting data from a form with POST method like following. $x = htmlentities($_POST['y']); . After getting all form daha I save them into DB, I used mysql_real_escape_string. I have an page which show the information that I have save into DB. But If I don't use html_entity_decode, there will encodding and charset problems. I can't set htmlentities charset parameters because this function does not have Turkish Charset support. The question is that, after saving data into DB with using htmlentities, in the information page if I use html_entity_decode function still there is an XSS risk or not? . html_entity_decode function get back all risk again? Please help. Thanks. Caner. Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php