Untainting in PHP

Chris Shiflett posted the slides from a recent talk on PHP security. He set up three security challenges (see the source files.)

He showed off something I had not noticed before. In htmlentities() you can declare an encoding.

Shiflett has a straightforward approach to untainting user input:



$html = array();

$html['variable'] = htmlentities($_GET['variable'],ENT_QUOTES,"utf-8");

/* Code using $html */

You could leverage off that to set defaults:



$html = array('variable' => 'default');

foreach ($_GET as $key => $value) {

    $html[$key] = htmlentities($value,ENT_QUOTES,"utf-8");

}

/* Code using $html */.

And log suspicious requests:



$html = array('variable' => 'default');

foreach ($_GET as $key => $value) {

    $untainted = htmlentities($value,ENT_QUOTES,"utf-8");

    if (array_key_exists($key,$html)) {

        $html[$key] = $untainted;

    }

    else {

        error_log("[Input Filter] Request had" .

                       "unexpected parameter $key => $untainted");

    }

}

/* Code using $html */.

One long line in the example was causing a glitch in IE6, so I reformated it.

More like this: , .

This entry was written by Bill Humphries and posted on September 20, 2005 at 12:53 am and filed under software-development. Bookmark the permalink. Follow any comments here with the Atom feed for this post. Both comments and trackbacks are currently closed.