4. Cross-Site Scripting (XSS) Flaws
Never display any information coming from outside your program without filtering it first. Filter variables before including them in hidden form fields, in query strings, or just plain page output.PHP gives you plenty of tools to filter untrusted data:
htmlspecialchars()turns& > " <into their HTML-entity equivalents and can also convert single quotes by passingENT_QUOTESas a second argument.strtr()filters any characters you’d like. Passstrtr()an array of characters and their replacements. To change(and)into their entity equivalents, which is recommended to prevent XSS attacks, do:
$safer = strtr($untrusted, array('(' => '(', ')' => ')'));strip_tags()removes HTML and PHP tags from a string.utf8_decode()converts the ISO-8859-1 characters in a string encoded with the Unicode UTF-8 encoding to single-byte ASCII characters. Sometimes cross-site scripting attackers attempt to hide their attacks in Unicode encoding. You can useutf8_decode()to peel off that encoding.
- PHP Manual: htmlspecialchars(), strtr(), strip_tags(), utf8_decode()
- PHP Cookbook: Recipe 8.8 (“Building a GET Query String”), Recipe 9.8 (“Escaping Control Characters from User Data”)
5. Buffer Overflows
You can’t allocate memory at runtime in PHP and their are no pointers like in C so your PHP code, however sloppy it may be, won’t have any buffer overflows. What you do have to watch out for, however, are buffer overflows in PHP itself (and its extensions.) Subscribe to the php-announce mailing list to keep abreast of patches and new releases.See Also:
- PHP Mailing Lists: http://www.php.net/mailing-lists.php
No comments:
Post a Comment