Stefan Esser:
> 2) Using mysql_real_escape_string() on user input does not make it safe
> for SQL. It only makes SQL strings safe.
> Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id)
> is NOT secure but will result in no taint warning
Can you give a specific example? I'd like to know how likely such
things would be in real code.
> 3) Using htmlentities() on usr input does not make it safe for HTML
> output. It only makes it safe in some situations.
> Example: echo '....<sometag style="some-attribute:
> ',htmlentities($user_input),'">'. Will allow XSS through the style
> attribute without a taint warning
> Example2: echo '....<img src="',htmlentities($user_input),'">'. Will
> allow XSS through javascript: URL (f.e. in Opera) without a taint warning
Or they could encrypt the entire URL and include a decryptor
(javascript or some other language) in the HTML text. Detecting
threats that involve script/applet/etc execution requires the
ability to realistically simulate every browser. I haven't
solved that one yet.
That doesn't mean that I should give up trying to warn people about
known-to-be-bad coding practices. I just can't warn them about all
possible ways to screw up.
Wietse
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
