KBD

Keith Devens .com

 Wednesday, October 8, 2008 Flag waving
... be conservative in what you do, be liberal in what you accept from others. – Jon Postel (RFC 793)
Home » Archive » 2005 » January » 07 » Web site security holes
← Error Theory: Divorcing principle from necessity: the two minds of Keifer SutherlandQuitting the Paint Factory, by Mark Slouka →

Daily link icon Friday, January 7, 2005

Web site security holes

SQL Injection Attacks by Example, via Joseph[1].

Look. It's really easy:

Escape everything that comes in. Escape everything that goes out.

If you're sticking something into an SQL string and not escaping it, then that's bad -- unless of course you've already confirmed that it's (for instance) numeric, or you're being a fancy pants and using prepared statements.

If you're outputting something (into an HTML stream) and not escaping it, then that's bad. I see so many people using tags in Smarty and outputting variables like {$var}. AFAIK, Smarty doesn't do any automatic escaping, so you're really opening yourself up to XSS attacks, or at least allowing your HTML to be broken. I do almost all my (HTML) output in PHP with the following function:

<?php function e($str){ echo htmlspecialchars($str); }?>

It's even easier than typing echo, except I need parens.

Footnotes:
[1]: I've seen references to the article floating around the web elsewhere, but I don't remember where. Ah, here's one, but I don't remember the other.

Chain link icon Permalink | 4 Comments | Tags: Programming | id 6368
16:57 (utc-5)
edited: 17:43 (utc-5)
 
← Error Theory: Divorcing principle from necessity: the two minds of Keifer SutherlandQuitting the Paint Factory, by Mark Slouka →

Comments XML gif

Adam V. (http://flangy.com) wrote:

As an alternative to escaping, use a "real DB" whose API has support for commands and parameters. I think MySQL DB is sprouting this feature soonish.

∴ Adam V. | 7-Jan-2005 5:43pm est | http://flangy.com | #6802

Keith (http://keithdevens.com/) wrote:

Yeah, that's the type of thing I was referring to when I was talking about prepared statements.

Keith | 7-Jan-2005 5:44pm est | http://keithdevens.com/ | #6803

x-way (http://waterwave.ch/weblog) wrote:

Smarty doesn't do automatic escaping, but you can force it with modifiers:

{$var|escape}
 translates to <?php echo htmlspecialchars($var); ?>
∴ x-way | 7-Jan-2005 6:30pm est | http://waterwave.ch/weblog | #6806

Keith (http://keithdevens.com/) wrote:

Yeah, I know. But I never see anyone using them where they should be.

Keith | 7-Jan-2005 6:41pm est | http://keithdevens.com/ | #6807

Feel free to post a comment below. Please see my comment policy.

Formatting Rules (No HTML):

  • **bold**, *italic*, _underlined_, --strikeout--
  • "text"="url" creates a link, and URLs are auto-highlighted
  • Blockquote: Like e-mail, begin paragraph with > (greater-than sign)
  • Lists: begin paragraph with *,-, or + (unordered), or # (ordered)
  • Code block: ?!code:language=perl|php|sql|javascript|etc.{\n}...{\n}?!/code
:
(will be your IP address if blank)
 : (optional)
(Will not be shown on site)
: (optional)
:

October 2008
SunMonTueWedThuFriSat
 1234
567891011
12131415161718
19202122232425
262728293031 



RSS feed RSS feed for Keith's Weblog
Atom feed Atom feed for Keith's Weblog
Weblog archive
Recent comments
  on 4 posts

Recent comments XML

new⇒Timesheet Calculator

Hadn't seen it before now, but my​company already uses a time​tracking prog...

Keith: Oct 7, 10:44am

Girls, please don't get breast implants

Hey everyone, 

I am new to this​blog and I have enjoyed reading all​your...

Sarah.M.: Oct 6, 9:45am

obout inc - ASP.NET controls

I like there components. I've got​it to work locally on my pc.​However I'm ...

Jeff: Oct 2, 4:43pm

Dumb substring behavior in C# (and Java)

Yes, the Substring function is not​helpful when you hit the length​problem,...

Mike Irving: Oct 2, 7:56am

Generated in about 0.116s.

(Used 8 db queries)
 
 
mobile phone