Michael wrote: >> As for books, there are a great deal of books out there that are >> teaching terrible procedural PHP code. I happened to read a textbook >> used by a large University here in melbourne, MySQL queries had no >> 'real_escape_string', $_GET variables were echoed directly to page with >> no htmlentities. We should be advocating the use of good code, and >> teaching these things properly. >> > > What is the point of this? Is is a guard against XSS? > This will prevent XSS yes, and also because if they insert HTML characters like <> they can break the page layout. A good bet is to use htmlspecialchars() on all user data being printed to page. Classic example was TradeMe a few years back, you could insert HTML in an error parameter on auction pages.
Was something like: http://www.trademe.co.nz/Browse/Listing.aspx?id=19283091283&error=Bid%20amount%20must%20be%20more%20than%20current%20bid Looked rather innocuous, people were playing with it by saying silly messages in the error. I realised you could insert just enough text to allow an IFRAME or SCRIPT tag to externally hosted javascript. You could then access other peoples cookies to duplicate their sessions (if they had enabled 'keep me logged in'). I told TradeMe about this security hole, they fixed the problem and they subsequently banned me. Many phonecalls later my account was reactivated and I received a warning.... No 'thanks for helping' or anything. -Stig -- Stig Manning http://www.sdm.co.nz --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] -~----------~----~----~----~------~----~------~--~---
