News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady's Blog:
XSS in PHP (Part 1) How Not to Use Htmlspecialchars
March 13, 2012 @ 12:44:27

Pádraic Brady has written up an exhaustive guide to using htmlspecialchars correctly and securely in your applications (though it's technically how "not to use it"). This is part one of a series looking at preventing cross-site scripting in PHP applications.

While it's no harm poking fun at ourselves, in PHP we do have a serious problem. Cross-Site Scripting (XSS) remains one of the most significant classes of security problems afflicting PHP applications. Despite years of education, community awareness and the development of frameworks which can offer a huge boost in consistent practices - things are not getting any better.

So, I finally figured out what the core problem is: PHP programmers are completely clueless about XSS. It's that simple. Instead of going out and studying the topic, we blindly follow some preferred herd of people offering advice with heartfelt conviction despite the fact that they are probably just as ignorant as the rest of us. Does that sound like the behaviour of something which allegedly evolved into an intelligent species? The result is a mix of ignorance and stagnant knowledge that leaves PHP in an unenviable position beset by wrongheaded zealots.

He introduces the htmlspecialchars function and how it has been generally assumed a good method for presenting XSS attacks. He talks about issues with quotes, problems that IE6 seems to have that no one else does and the all-important third parameter of the function (character set detection) and the optional fourth (decoding HTML entities automatically).

He's created this github repository with the examples from the post.

0 comments voice your opinion now!
xss tutorial htmlspecialchars crosssitescripting security


blog comments powered by Disqus

Similar Posts

MaltBlue.com: \Zend\Db\Sql - Creating Joins and Unions with Ease

Zend Developer Zone: Live Blogging From php/db|works 2006

DevShed: Working with Directory Iterators and Proxy Classes with PHP 5

Stefan Mischook's Blog: PHP Video Tutorial: PHP Loops

Joshua Thijssen: Installing composer: russian roulette.


Community Events





Don't see your event here?
Let us know!


framework refactor list symfony2 developer community experience interview language laravel testing podcast code install threedevsandamaybe introduction unittest opinion series release

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework