In PHP, I know that using parameterized queries is the best way to prevent SQL injection.
But what about sanitizing user input that will be used for other purposes, such as:
Is htmlentities() the best way to sanitize for non-database usage? What is considered to be best practice here?
分享 In php the best xss filter is:
htmlspecialchars($_POST['param'],ENT_QUOTES);
The reason why you also have to encode quotes is becuase you don't need <> to exploit some xss. for instance this is vulnerable to xss:
print('<A HREF="http://www.xssed.com/'.htmlspecialchars($_REQUEST[xss]).'">link</a>');
You don't need <> to execute javascript in this case because you can use onmouseover, here is an example attack:
$_REQUEST[xss]='" onMouseOver="alert(/xss/)"';
the ENT_QUOTES takes care of the double quotes.
E-mail is a bit different, javascript shouldn't be executed by the mail client, and if it is then your site isn't affected due to the Same Origin Policy. But to be on the safe side I would still use htmlspecialchars($var,ENT_QUOTES);. HOWEVER, PHP's mail() function can succumb to a different type of vulnerability, its called CRLF injection. Here is an example vulnerability against PHP-Nuke. If you have a function call like this: mail($fmail, $subject, $message, $header); Then you must make sure that a user cannot inject
into $header.
Vulnerable code:
$header="From: \"$_GET[name]\" <$ymail>
X-Mailer: PHP";
patched:
$_GET[name]=str_replace(array("","
"),$_GET[name]);
$header="From: \"$_GET[name]\" <$ymail>
X-Mailer: PHP";
