Chris Shiflett posted the slides from a recent talk on PHP security. He set up three security challenges (see the source files.)
He showed off something I had not noticed before. In htmlentities() you can declare an encoding.
Shiflett has a straightforward approach to untainting user input:
$html = array();
$html['variable'] = htmlentities($_GET['variable'],ENT_QUOTES,"utf-8");
/* Code using $html */
You could leverage off that to set defaults:
$html = array('variable' => 'default');
foreach ($_GET as $key => $value) {
$html[$key] = htmlentities($value,ENT_QUOTES,"utf-8");
}
/* Code using $html */.
And log suspicious requests:
$html = array('variable' => 'default');
foreach ($_GET as $key => $value) {
$untainted = htmlentities($value,ENT_QUOTES,"utf-8");
if (array_key_exists($key,$html)) {
$html[$key] = $untainted;
}
else {
error_log("[Input Filter] Request had" .
"unexpected parameter $key => $untainted");
}
}
/* Code using $html */.
One long line in the example was causing a glitch in IE6, so I reformated it.
Possibly Related posts (machine generated):