Is mb_check_encoding()
a must for secure PHP UTF-8 Apps?
Do I have to mandatorily use the function mb_check_encoding()
on absolutely every input data, passed to a PHP UTF-8 Application to be "secure"?
Whatare the reasons/attack vectors?
Please give a short explain as to why this is important / what the attack vectors are. The mb_check_encoding() helps to protect against "Invalid Encoding Attack". But where in PHP could these become obvious/a security risk?
1.) If all data is outputted via htmlspecialschars()
and I use prepared statements, is then the only remaining attack vector, that string comparisons might not match (comparing a valid with invalid UTF-8 for example in a security filter, where not matching might be problematic)? Or in the conrete example, would htmlspecialchars itself be vulnerable (if no correct UTF-8 is passend in) and would not encode the output, which of course would be a major security risk.
2.) Or are there worse complications comparable like buffer overflows, that allow directly hijacking the app?
3.) What further attack vectors/problems exist?