Re: [PHP] Re: XSS Preventing.

2009-06-26 Thread Chris Shiflett

On Jun 23, 2009, at 10:29, Martin Zvarík wrote:


Don't htmlentiies() before DB save.  In general:
- mysql_real_escape_string() before DB insertion
- htmlentities() before dispaly


I, on the other hand, would do htmlentities() BEFORE insertion.

Pros:
---
The text is processed once and doesn't have to be htmlentitied()  
everytime you read the database - what a stupid waste of performance  
anyway.


Isn't reading from the database every time a much bigger waste? Sounds  
like you might benefit from reading about Amdahl's law:


http://en.wikipedia.org/wiki/Amdahl%27s_law

Additionally, these slides from a talk by George Schlossnagle are good:

http://schlossnagle.org/~george/talks/ZendPerf.pdf

Amdahl's law aside, it does make sense in some cases (profiles for  
social apps, for example) to cache this information in a ready-to-be- 
displayed format, but no one should be talking about performance and  
reading from the database every time in the same sentence.


Chris

--
Chris Shiflett
http://shiflett.org/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Re: XSS Preventing.

2009-06-26 Thread Bastien Koert
On Fri, Jun 26, 2009 at 12:07 PM, Chris Shiflettshifl...@php.net wrote:
 On Jun 23, 2009, at 10:29, Martin Zvarík wrote:

 Don't htmlentiies() before DB save.  In general:
 - mysql_real_escape_string() before DB insertion
 - htmlentities() before dispaly

 I, on the other hand, would do htmlentities() BEFORE insertion.

 Pros:
 ---
 The text is processed once and doesn't have to be htmlentitied() everytime
 you read the database - what a stupid waste of performance anyway.

 Isn't reading from the database every time a much bigger waste? Sounds like
 you might benefit from reading about Amdahl's law:

 http://en.wikipedia.org/wiki/Amdahl%27s_law

 Additionally, these slides from a talk by George Schlossnagle are good:

 http://schlossnagle.org/~george/talks/ZendPerf.pdf

 Amdahl's law aside, it does make sense in some cases (profiles for social
 apps, for example) to cache this information in a ready-to-be-displayed
 format, but no one should be talking about performance and reading from
 the database every time in the same sentence.

 Chris

 --
 Chris Shiflett
 http://shiflett.org/


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



Fantastic PDF from the George Schlossnagle

http://schlossnagle.org/~george/talks/ZendPerf.pdf


Thanks

-- 

Bastien

Cat, the other other white meat

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Re: XSS Preventing.

2009-06-23 Thread Caner Bulut
I have read somethings about these issues. And i understand that If you use
htmlentities() BEFORE insertion, when querying DB from XML, PDF or other
data format, there will be some problems.

I have some PHP books, the author codding like Martin Zvarík's way. If you
have any pros and cons please share us.

Thanks.

2009/6/23 Martin Zvarík mzva...@gmail.com


 Don't htmlentiies() before DB save.  In general:

 - mysql_real_escape_string() before DB insertion

 - htmlentities() before dispaly



 I, on the other hand, would do htmlentities() BEFORE insertion.


 Pros:
 ---
 The text is processed once and doesn't have to be htmlentitied() everytime
 you read the database - what a stupid waste of performance anyway.


 Cons:
 ---
 Instead  you'll see amp; ... is that a problem? Not for me and I
 believe 80% of others who use DB to store  view on web.



 Martin


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Re: XSS Preventing.

2009-06-23 Thread Martin Scotta
If you use htmlentities after each query you can found problems like this:

My name is Martamp;iacute;n.


Also the data is stored for be used in a html environment.
what happen if you need the data for other purposes?

On Tue, Jun 23, 2009 at 11:42 AM, Caner Bulut caner...@gmail.com wrote:

 I have read somethings about these issues. And i understand that If you use
 htmlentities() BEFORE insertion, when querying DB from XML, PDF or other
 data format, there will be some problems.

 I have some PHP books, the author codding like Martin Zvarík's way. If you
 have any pros and cons please share us.

 Thanks.

 2009/6/23 Martin Zvarík mzva...@gmail.com

 
  Don't htmlentiies() before DB save.  In general:
 
  - mysql_real_escape_string() before DB insertion
 
  - htmlentities() before dispaly
 
 
 
  I, on the other hand, would do htmlentities() BEFORE insertion.
 
 
  Pros:
  ---
  The text is processed once and doesn't have to be htmlentitied()
 everytime
  you read the database - what a stupid waste of performance anyway.
 
 
  Cons:
  ---
  Instead  you'll see amp; ... is that a problem? Not for me and I
  believe 80% of others who use DB to store  view on web.
 
 
 
  Martin
 
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php
 
 




-- 
Martin Scotta


Re: [PHP] Re: XSS Preventing.

2009-06-23 Thread Andrew Ballard
On Tue, Jun 23, 2009 at 10:29 AM, Martin Zvaríkmzva...@gmail.com wrote:

 Don't htmlentiies() before DB save.  In general:

 - mysql_real_escape_string() before DB insertion

 - htmlentities() before dispaly



 I, on the other hand, would do htmlentities() BEFORE insertion.


 Pros:
 ---
 The text is processed once and doesn't have to be htmlentitied() everytime
 you read the database - what a stupid waste of performance anyway.


 Cons:
 ---
 Instead  you'll see amp; ... is that a problem? Not for me and I
 believe 80% of others who use DB to store  view on web.



 Martin


Different strokes for different folks. The performance hit isn't that
great, and now you're potentially storing more data since individual
characters (generally 1 or 2 bytes) are inflated to entities that are
often around 6-8 bytes.

Additional Cons:
If the content ever needed to be formatted for something other than
html (either now or in the future) you'd have to remove the entities
every time you read the database. So now you have a stupid wast of
performance again AND you're still storing the extra bytes in the
database.

Andrew

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Re: XSS Preventing.

2009-06-23 Thread Eddie Drapkin
Cons:
1. Can't easily edit information in the database
2. Can't display raw for the user (e.g. edit a forum post)
3. Uses more space in the DB
4. Isn't as easily indexed
5. Breaks il8n support of internal search engines (sphinx, lucene, etc.)

You're NEVER supposed to santize before inserting in the DB.  Ever.
Regarding the performance boost, if your application is written so
well that calling htmlentities() is hurting the performance, I bow to
you as writing the highest performing PHP I've ever seen.  I would bet
money that validation and sanitization, even if overdone, wouldn't
take more than 2 or 3 percent of execution time.

Do NOT do this, OP, it's terrible practice.

On Tue, Jun 23, 2009 at 10:29 AM, Martin Zvaríkmzva...@gmail.com wrote:

 Don't htmlentiies() before DB save.  In general:

 - mysql_real_escape_string() before DB insertion

 - htmlentities() before dispaly



 I, on the other hand, would do htmlentities() BEFORE insertion.


 Pros:
 ---
 The text is processed once and doesn't have to be htmlentitied() everytime
 you read the database - what a stupid waste of performance anyway.


 Cons:
 ---
 Instead  you'll see amp; ... is that a problem? Not for me and I
 believe 80% of others who use DB to store  view on web.



 Martin

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Re: XSS Preventing.

2009-06-23 Thread Martin Zvarík



Cons:
1. Can't easily edit information in the database
  

True, so if you use phpmyadmin for editing - don't do what I suggested.

2. Can't display raw for the user (e.g. edit a forum post)
  

Edit a forum? You display the data in TEXTAREA...

3. Uses more space in the DB
  

True,
although I use htmlspecialchars() which doesn't replace that many 
characters.

4. Isn't as easily indexed
5. Breaks il8n support of internal search engines (sphinx, lucene, etc.)
  

Thanks for reply, I will still do it before the DB insert.
*
Btw. I should have mentioned I don't use htmlentities(), but 
htmlspecialchars()*



You're NEVER supposed to santize before inserting in the DB.  Ever.
Regarding the performance boost, if your application is written so
well that calling htmlentities() is hurting the performance, I bow to
you as writing the highest performing PHP I've ever seen.  I would bet
money that validation and sanitization, even if overdone, wouldn't
take more than 2 or 3 percent of execution time.

Do NOT do this, OP, it's terrible practice.


  


Re: [PHP] Re: XSS Preventing.

2009-06-23 Thread Philip Thompson

On Jun 23, 2009, at 9:29 AM, Martin Zvarík wrote:


Don't htmlentiies() before DB save.  In general:
- mysql_real_escape_string() before DB insertion
- htmlentities() before dispaly



I, on the other hand, would do htmlentities() BEFORE insertion.


Pros:
---
The text is processed once and doesn't have to be htmlentitied()  
everytime you read the database - what a stupid waste of performance  
anyway.



Cons:
---
Instead  you'll see amp; ... is that a problem? Not for me and  
I believe 80% of others who use DB to store  view on web.


I had a problem with storing amp; into the database instead of just  
. When I wanted to search for something and amp; was in the value,  
typing  would not find the result. I fixed that by not using  
htmlentities() before inputing data into the database. IMO, using  
htmlentities() or htmlspecialchars() before inserting into db is  
inherently wrong. Making calls to those functions should have  
negligible impact on the application - there are other ways to improve  
the performance of your application.


My too scents,
~Philip



Martin


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Re: XSS Preventing.

2009-06-23 Thread Martin Zvarík

Eddie Drapkin napsal(a):



2. Can't display raw for the user (e.g. edit a forum post)
  

Edit a forum? You display the data in TEXTAREA...


Because seeing something like:
textareaquot;Yeah!quot; is what he said. /textarea
Is awesome for the user experience.


If you don't do html...() before putting to textarea this can happen:

textarea   blabla b/textarea  blabla  /textarea

See?


3. Uses more space in the DB
  


True,
although I use htmlspecialchars() which doesn't replace that many
characters.


That makes it no better of a practice to pre-sanitize.

You've still yet to offer any compelling reasons why you think this is 
a good idea.


It's DEFINITELY easier to store RAW data to DB, because it won't give 
you any headaches in the future - when you might need to add some other 
functionality requiring this.


But for me personally is doing - htmlspecialchars() - BEFORE the DB 
insertion the choice to go, because I am looking for performance.


ok? respect



Re: [PHP] Re: XSS Preventing.

2009-06-23 Thread Martin Zvarík

Philip Thompson napsal(a):

On Jun 23, 2009, at 9:29 AM, Martin Zvarík wrote:


Don't htmlentiies() before DB save.  In general:
- mysql_real_escape_string() before DB insertion
- htmlentities() before dispaly



I, on the other hand, would do htmlentities() BEFORE insertion.


Pros:
---
The text is processed once and doesn't have to be htmlentitied() 
everytime you read the database - what a stupid waste of performance 
anyway.



Cons:
---
Instead  you'll see amp; ... is that a problem? Not for me and I 
believe 80% of others who use DB to store  view on web.


I had a problem with storing amp; into the database instead of just . 
When I wanted to search for something and amp; was in the value, 
typing  would not find the result. I fixed that by not using 
htmlentities() before inputing data into the database. IMO, using 
htmlentities() or htmlspecialchars() before inserting into db is 
inherently wrong. Making calls to those functions should have negligible 
impact on the application - there are other ways to improve the 
performance of your application.


My too scents,
~Philip



Martin



You could do htmlentities() at the search string...

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] Re: XSS Preventing.

2009-06-22 Thread Caner BULUT

Thanks for response. 

But if I use before display there is charset problems occurs. And
htmlentities does not support Turkish Charset. How can I decode data after
pass thought htmlentities.

Thanks.

-Original Message-
From: Shawn McKenzie [mailto:nos...@mckenzies.net] 
Sent: 22 June 2009 23:27
To: php-general@lists.php.net
Subject: [PHP] Re: XSS Preventing.

Caner BULUT wrote:
 Hi Guys,
 
  
 
 I have a question if you have any knowledge about this please let me know.
 
  
 
 I getting data from a form with POST method like following.
 
  
 
 $x = htmlentities($_POST['y']);
 
 .
 
  
 
 After getting all form daha I save them into DB, I used
 mysql_real_escape_string. 
 
  
 
 I have an page which show the information that I have save into DB. But If
I
 don't use html_entity_decode, there will encodding and charset problems. I
 can't set htmlentities charset parameters because this function does not
 have Turkish Charset support.
 
  
 
 The question is that, after saving data into DB with using htmlentities,
in
 the information page if I use html_entity_decode function still there is
an
 
 XSS risk or not? . html_entity_decode function get back all risk again?
 
  
 
 Please help.
 
  
 
 Thanks.
 
 Caner.
 
 

Don't htmlentiies() before DB save.  In general:

- mysql_real_escape_string() before DB insertion

- htmlentities() before dispaly

-- 
Thanks!
-Shawn
http://www.spidean.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Re: XSS Preventing.

2009-06-22 Thread Shawn McKenzie
Caner BULUT wrote:
 Thanks for response. 
 
 But if I use before display there is charset problems occurs. And
 htmlentities does not support Turkish Charset. How can I decode data after
 pass thought htmlentities.

I have no idea, I was just saying that if you use it, use it for display
and not for storage.  If you only use it for display, then you don't
need to decode it.  Also, what do you mean it doesn't support the
Turkish charset?  Does it mangle some of the chars?  You are using it so
that you don't get markup script  etc. in your output, so does it
do something bad with the Turkish chars?.  Maybe try htmlspecialchars()
as it only converts a few specific chars.


 
 Thanks.
 
 -Original Message-
 From: Shawn McKenzie [mailto:nos...@mckenzies.net] 
 Sent: 22 June 2009 23:27
 To: php-general@lists.php.net
 Subject: [PHP] Re: XSS Preventing.
 
 Caner BULUT wrote:
 Hi Guys,

  

 I have a question if you have any knowledge about this please let me know.

  

 I getting data from a form with POST method like following.

  

 $x = htmlentities($_POST['y']);

 .

  

 After getting all form daha I save them into DB, I used
 mysql_real_escape_string. 

  

 I have an page which show the information that I have save into DB. But If
 I
 don't use html_entity_decode, there will encodding and charset problems. I
 can't set htmlentities charset parameters because this function does not
 have Turkish Charset support.

  

 The question is that, after saving data into DB with using htmlentities,
 in
 the information page if I use html_entity_decode function still there is
 an
 XSS risk or not? . html_entity_decode function get back all risk again?

  

 Please help.

  

 Thanks.

 Caner.


 
 Don't htmlentiies() before DB save.  In general:
 
 - mysql_real_escape_string() before DB insertion
 
 - htmlentities() before dispaly
 

-- 
Thanks!
-Shawn
http://www.spidean.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] Re: XSS Preventing.

2009-06-22 Thread Caner BULUT
Shawm thanks,

İf you using htmlentities awere that he change the charset to ISO-8859-1. So
this is the a problem. For solving this there were some parameters.

Htmlentities($str, ENT_QUOTES, 'UTF-8') 

But there is no Turkish Charset inside supportad Charset. You can see the
detail info from 
http://tr.php.net/htmlentities

After using htmlentities I am getting following


Paramp;ccedil;anyacute;n
amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; /
takyacute;lacaeth;yacute; araamp;ccedil; modeli
Paramp;ccedil;anyacute;n
amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; /
takyacute;lacaeth;yacute; araamp;ccedil; modeli
Paramp;ccedil;anyacute;n
amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; /
takyacute;lacaeth;yacute; araamp;ccedil; modeli
Paramp;ccedil;anyacute;n 

After using htmlspecialchars I am getting following


Paramp;ccedil;anyacute;n
amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; /
takyacute;lacaeth;yacute; araamp;ccedil; modeli
Paramp;ccedil;anyacute;n
amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; /
takyacute;lacaeth;yacute; araamp;ccedil; modeli
Paramp;ccedil;anyacute;n
amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; /
takyacute;lacaeth;yacute; araamp;ccedil; modeli
Paramp;ccedil;anyacute;n
amp;ccedil;yacute;karyacute;ldyacute;eth;yacute; /
takyacute;lacaeth;yacute; araamp;ccedil; modeli

I hope I can explain the problem. Thanks


-Original Message-
From: Shawn McKenzie [mailto:nos...@mckenzies.net] 
Sent: 23 June 2009 00:01
To: php-general@lists.php.net
Subject: Re: [PHP] Re: XSS Preventing.

Caner BULUT wrote:
 Thanks for response. 
 
 But if I use before display there is charset problems occurs. And
 htmlentities does not support Turkish Charset. How can I decode data after
 pass thought htmlentities.

I have no idea, I was just saying that if you use it, use it for display
and not for storage.  If you only use it for display, then you don't
need to decode it.  Also, what do you mean it doesn't support the
Turkish charset?  Does it mangle some of the chars?  You are using it so
that you don't get markup script  etc. in your output, so does it
do something bad with the Turkish chars?.  Maybe try htmlspecialchars()
as it only converts a few specific chars.


 
 Thanks.
 
 -Original Message-
 From: Shawn McKenzie [mailto:nos...@mckenzies.net] 
 Sent: 22 June 2009 23:27
 To: php-general@lists.php.net
 Subject: [PHP] Re: XSS Preventing.
 
 Caner BULUT wrote:
 Hi Guys,

  

 I have a question if you have any knowledge about this please let me
know.

  

 I getting data from a form with POST method like following.

  

 $x = htmlentities($_POST['y']);

 .

  

 After getting all form daha I save them into DB, I used
 mysql_real_escape_string. 

  

 I have an page which show the information that I have save into DB. But
If
 I
 don't use html_entity_decode, there will encodding and charset problems.
I
 can't set htmlentities charset parameters because this function does not
 have Turkish Charset support.

  

 The question is that, after saving data into DB with using htmlentities,
 in
 the information page if I use html_entity_decode function still there is
 an
 XSS risk or not? . html_entity_decode function get back all risk again?

  

 Please help.

  

 Thanks.

 Caner.


 
 Don't htmlentiies() before DB save.  In general:
 
 - mysql_real_escape_string() before DB insertion
 
 - htmlentities() before dispaly
 

-- 
Thanks!
-Shawn
http://www.spidean.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php