Stefan Esser: > 2) Using mysql_real_escape_string() on user input does not make it safe > for SQL. It only makes SQL strings safe. > Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id) > is NOT secure but will result in no taint warning
Can you give a specific example? I'd like to know how likely such things would be in real code. > 3) Using htmlentities() on usr input does not make it safe for HTML > output. It only makes it safe in some situations. > Example: echo '....<sometag style="some-attribute: > ',htmlentities($user_input),'">'. Will allow XSS through the style > attribute without a taint warning > Example2: echo '....<img src="',htmlentities($user_input),'">'. Will > allow XSS through javascript: URL (f.e. in Opera) without a taint warning Or they could encrypt the entire URL and include a decryptor (javascript or some other language) in the HTML text. Detecting threats that involve script/applet/etc execution requires the ability to realistically simulate every browser. I haven't solved that one yet. That doesn't mean that I should give up trying to warn people about known-to-be-bad coding practices. I just can't warn them about all possible ways to screw up. Wietse -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php