About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

PHP Advent Calendar Day 15

Today's entry, provided by Paul Reinheimer, is entitled Channels and Output.

Paul Reinheimer

Name
Paul Reinheimer
Blog
blog.preinheimer.com
Biography
Born in Vancouver, raised in Ontario, educated in Windsor, currently roaming the streets of beautiful Montreal. When not fighting off crazy Internet vixens, Paul pays his hosting and Internet bills by taking care of training for php|architect, launching his own projects like funcaday, and speaking at various conferences.
Location
Montreal, Canada

When getting started with PHP programming, we memorize rules that those who came before us hand down, such as:

  • Use mysql_real_escape_string() when you're sending data to a MySQL database.

  • Use htmlentities() when you're outputting data to a web page.

The rules might not initially make a lot of sense, but given time, we learn.

The primary reason we have such rules isn't that MySQL does a poor job of interpreting data and browsers are silly, but that we're sending data and commands (or data and metadata) through the same channel. A single stream of information carries information like php.net and instructions like <title> tags. With a single stream that carries both the instructions and the data, the receiving system might misinterpret one for the other. This misinterpretation is the basis of problems like cross-site scripting and SQL injection.

To protect against these attacks, you have two choices. You can either separate the streams or escape the data to avoid confusion. When you use prepared statements with SQL, you are essentially separating the streams; the queries you send to the database are sent separately from the data, maintaining the necessary distinction.

Using separate channels is secure and convenient, but it isn't always an option. An alternative option is to escape the data. Escaping is deceptively simple; determine which characters might be misinterpreted as instructions (special characters), and escape those characters to preserve their original meaning. Native functions exist for most common contexts, such as htmlentities() for HTML and mysql_real_escape_string() for MySQL.

Be sure to take character encoding into account. For HTML, The Content-Type header should indicate the same character encoding as htmlentities(). For MySQL, mysql_real_escape_string() maintains this consistency for you.

The next time you're sending data to an external resource, see if it's possible to separate the channels. If not, refer to the external resource's documentation to determine which characters are treated in a special way, and escape your data accordingly.

About This Post

PHP Advent Calendar Day 15 was posted on Sat, 15 Dec 2007 at 23:57:43 GMT.

2 Comments

1. Jorrit Schippers's GravatarJorrit Schippers said:

Nowadays I use htmlspecialchars(), because entities such as &euml; are not allowed in XHTML, and if you have your character encodings right, ë should work just as well as &euml;

Sun, 16 Dec 2007 at 11:09:56 GMT Link

2. Lars Gunther's GravatarLars Gunther said:

Could be better:

It is time to teach prepared statements. That is even better than mysql_real_escape_string(). I teach PHP to newbies as a job. Nowadays I start with PDO, and make only mention the mysql interface.

I good:

Otherwise I agree, and I think it's important to explain the principle, as people are confusing filtering with escaping all the time.

Sun, 16 Dec 2007 at 11:12:04 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

O'Reilly Open Source Convention

21 - 25 Jul 2008

At Oregon Convention Center, Portland, Oregon.

ZendCon

15 - 18 Sep 2008

In Santa Clara, California.

PHP Appalachia

11 - 14 Oct 2008

At Big Bear Lodge, Gatlinburg, Tennessee.

New Comments

Ash Searle wrote:

It might be worth changing your example code from using htmlentities to htmlspecialchars. Runn...

Posted in Allowing HTML and Preventing XSS
Chris Shiflett wrote:

Hi Steve, According to the NYT Manual of Style and Usage, it's push-up: Most but not all co...

Posted in Miscellaneous
steve wrote:

so, is it push up, pushup or push-up? just curious... --steve --www.hundredpushups.com

Posted in Miscellaneous
Walter Lawless wrote:

It's sad to think that even now, nearly 4 years after this was originally written, that there are...

Posted in
Asanka Dewage wrote:

I've been a Mac user for over a year now and I didn't know about the [say] command! What a nifty ...

Posted in Miscellaneous

Browse Comments