Re: [fw-general] Security - Preventing SQL Injections, XSS etc

Sat, 06 Jun 2009 08:28:03 -0700 

-- iceangel89 <comet2...@gmail.com> wrote
(on Saturday, 06 June 2009, 03:12 AM -0700):
> what do i need to know to develop an app that is relatively safe from common
> security issues like SQL Injections, XSS etc etc? 
> 
> did i read some where that getRequest()->getParam('something') will be
> filtered by default? 

No, that is not the case, though it has been proposed. The problem with
this approach is that it is difficult to know what data will be
submitted -- and thus how it should be filtered. One possibility would
be to allow injecting a Zend_Filter_Input object, and only allow
retrieving values defined in that object. But this is a change that will
happen only in 2.0.

> btw, if something is filtered/escaped for SQL, i need to unescape it for
> display right? is that handled by ZF by default already? 
> 
> when i output for the output in HTML, how do i "escape" to reduce the risk
> of XSS? 
> what happens if i need to output HTML? i need to disable this behavior? 

The security mantra is "filter input, escape output." Within ZF,
filtering in this sense is usually the domain of Zend_Validate, which
allows you to be selective about what you consider valid input, while
escaping is the role of a variety of components, including Zend_View,
Zend_Filter, Zend_Db, and even the various server components.

Escaping happens anytime you are sending data somewhere else -- back to
the browser or other client, or even to the _database_.

What you're actually asking about is two different types of escaping.

When it comes to the database, you should be using Zend_Db_Select, the
adapter's quoting mechanism, or bound parameters. Zend_Db facilitates
all of this. As an example, using Zend_Db_Select's where() method, you
can be certain that the values will be escaped properly:

    $select->where('id = ?', $id);

Using either the adapter's or Zend_Db_Table's insert() or update()
methods, you also get appropriate escaping of the values provided.

When it comes to creating markup (HTML), use Zend_View's escape() method
when outputting suspect data:

    <?php echo $this->escape($this->foo) ?>

(In 2.0, we will make escaping the default within Zend_View, and require
you to explicitly ask for raw data if you don't want escaping.)

-- 
Matthew Weier O'Phinney
Project Lead            | matt...@zend.com
Zend Framework          | http://framework.zend.com/

Reply via email to