Just a General Rant on Outputting in General

Beginners - Learning PHP
#1

Well, after about 2 years of PHP programming (and before that many other programming languages) I still time to time feel like a complete newbie when in comes to securing output when it comes to PHP. ;D

For instance today I just wanted to see what would happen if I typed home would do to my CMS that I am developing for my own website. An low and behold it kind of farted out on me big time and that was just a stupid anchor tag, I can just image what a true hacker could had to my website (even though I do use PDO prepare statements). Anyways, for God knows why I wasn’t securing the output and I was having some kind of brain fart trying to solve the problem. Anyways, It could have been too much Turkey for it’s Thanksgiving here in the United States or someone upstairs telling me to be more understanding to newcomers who are learning PHP. ::slight_smile: Spent 4 hours fixing something that I know almost like the back of my hands, but it goes to show that it pays to test your website out for vulnerabilities by seeing what would happen if you do this or if you do that. Moral of the story is never trust output that a user can change either by direct input or vial a url. The best way to do that is to escape (securing) the [size=14pt]output[/size] results. :wink:

#2

Always escape output, easy to see you have escaped everything in the views, and you don’t mess up the data in the db.

Now how about “modern web development - part 2” where we’ll look into a template engine that escapes all output automatically…? :wink:

#3

Interesting thoughts. I never thought of these issues. All of my programming so far has escaped inputs
only when saved to the DB. So, if you pull the data from the DB and display it, why would you have to
escape it a second time? I would suspect if you are pulling different types of data from inputs that some
tricky hacker might be able to piece inputs in such a way to link them together, but, in all of my code, there
are formatting tags around most of the data, so I can not imagine how it would be an issue.

Yep, we need a “part-2” on this subject. I am interested in more info of this subject! Thanks!

Sponsor our Newsletter | Privacy Policy | Terms of Service