To protect our web application, the first thing is never trust any input. We must escape every inputs properly. Php comes with many escape functions .For input escaping , htmlentities() function converts all applicable characters to HTML entities. It has 4 parameters. The first arguments takes the string to escape. The second argument is the quote style. There are 3 types of styles:
1. ENT_COMPAT: this will convert double quotes and leaves the single quotes.
2. ENT_QUOTES: this will convert both single and double quotes.
3. ENT_NOQUOUTES: this will leave both single and double quotes.
The third parameter is the charset. The default is ISO-8859-1 and the fourth parameter is double_encodes. If it is set to off , then php will not encode existing html entities, the default is On.
There is a similar function called htmlspecialchars() with the exception is that htmlentities convert all characters and htmlspecialchars encodes only special characters.
The translations performed are:
• '&' (ampersand) becomes '&'
• '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
• ''' (single quote) becomes ''' only when ENT_QUOTES is set.
• '<' (less than) becomes '<'
• '>' (greater than) becomes '>'
This function has the same 4 parameters of htmlentities. These 2 function uses the html translation table. We can find with the function get_html_translation_table.
$trans = get_html_translation_table(HTML_ENTITIES);
$str = "Hallo &
$encoded = strtr($str, $trans);
We can decode the encoded string with respective decode functions : html_entity_decode and htmlspecialchars_decode .
The functions urlencode and rawurlencode is used for encoding data on the url. This helps to hide any important data from possible attackers. The difference between these 2 is that the first function converts spaces into ‘+’ sign. Urldecode and rawurldecode decodes the encoded data. The encoded data in $_GET and $_REQUEST method automatically decodes data.
So, We must filter any input data before use. There are 2 approaches .
1. Blacklist approach: In this approach, we assume every thing is secure except the some given listed data. If any input matches the given data, we will treat is as tainted.
2. Whitelist approach: This approach assumes that all are tainted except some given data. If a data matches this given data, then we can say this data is safe to proceed.
We can use ctype_* and is_* functions for filtering inputs. These functions check whether the given data is our required data type.
$clean[’username’] = $_POST[’username’];
$clean[’password’] = $_POST[’password’];
$colours = array(’Red’, ’Blue’, ’Yellow’, ’Green’);
if (in_array($_POST[’colour’], $colours))
$clean[’colour’] = $_POST[’colour’];
This is not all about web security in php world. We will focus on the rest later on.