To protect our web application, the first thing is never trust any input. We must escape every inputs properly. Php comes with many escape functions .For input escaping , htmlentities() function converts all applicable characters to HTML entities. It has 4 parameters. The first arguments takes the string to escape. The second argument is the quote style. There are 3 types of styles:
1. ENT_COMPAT: this will convert double quotes and leaves the single quotes.
2. ENT_QUOTES: this will convert both single and double quotes.
3. ENT_NOQUOUTES: this will leave both single and double quotes.
The third parameter is the charset. The default is ISO-8859-1 and the fourth parameter is double_encodes. If it is set to off , then php will not encode existing html entities, the default is On.
There is a similar function called htmlspecialchars() with the exception is that htmlentities convert all characters and htmlspecialchars encodes only special characters.
The translations performed are:
• '&' (ampersand) becomes '&'
• '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
• ''' (single quote) becomes ''' only when ENT_QUOTES is set.
• '<' (less than) becomes '<'
• '>' (greater than) becomes '>'
This function has the same 4 parameters of htmlentities. These 2 function uses the html translation table. We can find with the function get_html_translation_table.
$trans = get_html_translation_table(HTML_ENTITIES);
$str = "Hallo &
$encoded = strtr($str, $trans);
echo $encoded;
?>
We can decode the encoded string with respective decode functions : html_entity_decode and htmlspecialchars_decode .
The functions urlencode and rawurlencode is used for encoding data on the url. This helps to hide any important data from possible attackers. The difference between these 2 is that the first function converts spaces into ‘+’ sign. Urldecode and rawurldecode decodes the encoded data. The encoded data in $_GET and $_REQUEST method automatically decodes data.
Filtering data:
So, We must filter any input data before use. There are 2 approaches .
1. Blacklist approach: In this approach, we assume every thing is secure except the some given listed data. If any input matches the given data, we will treat is as tainted.
2. Whitelist approach: This approach assumes that all are tainted except some given data. If a data matches this given data, then we can say this data is safe to proceed.
We can use ctype_* and is_* functions for filtering inputs. These functions check whether the given data is our required data type.
if (ctype_alpha($_POST[’username’]))
{
$clean[’username’] = $_POST[’username’];
}
if (ctype_alnum($_POST[’password’]))
{
$clean[’password’] = $_POST[’password’];
}
$colours = array(’Red’, ’Blue’, ’Yellow’, ’Green’);
if (in_array($_POST[’colour’], $colours))
{
$clean[’colour’] = $_POST[’colour’];
}
Here we are checking the input data whether they are of specified type. Sometimes client-side javascript validation is not necessary for filtering, as there is one security issue called ‘spoofed form’. We will talk about this later. So, we must not rely on client-side javascript. We need to use server side filtering also.
This is not all about web security in php world. We will focus on the rest later on.
Posts
