NYCPHP Meetup

NYPHP.org

[nycphp-talk] escaping

David Mintz david at davidmintz.org
Wed Jan 23 16:42:12 EST 2008 

It sounds like you're talking about input filtering. By escaping I think we
generally mean on the output side. If for example you want to display in a
form textfield the text

       John "KIller" Somebody

what would happen if you don't replace the quote characters with the
corresponding html entity?

       <input type="text" value="John "KIller" Somebody" />

Premature field termination. That's just one example. If there were evil
javascript in there and you didn't escape it, one user could enter something
that would allow  her/him to steal another user's cookies and hijack her/his
session, for example. Cross-site scripting, they call it.

http://us2.php.net/manual/en/function.htmlentities.php

http://en.wikipedia.org/wiki/Cross-site_scripting



On Jan 23, 2008 4:09 PM, Ben Sgro <ben at projectskyline.com> wrote:

> what about http://myViagra.com?
>
> You'll probably need a robust solution for managing all the crap people
> can stick into your blog comment space.
> Is it a home made blog? (Your own code?) or an off the shelf thing?
>
> - Ben
>
> Susan Shemin wrote:
> > Is this "escaping" that you guys have been talking about what you use
> > to filter acceptable data into textbox form?
> >
> > If so, can you explain exactly what is being used (e.g., htmlentities)
> > and how to use it?
> >
> > Actually I need to filter out nonpermitted characters since someone
> > put a Viagra advertisement into the php blog I created!  (Caught it
> > quite quickly and deleted the entry from the database.)  I'd like to
> > exclude "www." from being entered into a form.
> >
> > Susan
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > New York PHP Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> > NYPHPCon 2006 Presentations Online
> > http://www.nyphpcon.com
> >
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



-- 
David Mintz
http://davidmintz.org/

The subtle source is clear and bright
The tributary streams flow through the darkness
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20080123/f4a193de/attachment.html>

More information about the talk mailing list