News Feed
Jobs Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Chris Shiflett's Blog:
Character Encoding and XSS
June 20, 2007 @ 09:35:00

In this post to his blog, Chris Shiflett talks about some issues surrounding character encoding and the cross-site scripting issues it can open up in your application.

In the post [on Good and Bad PHP Code], he provides a few useful PHP interview questions, including some questions from Yahoo. He explains that good PHP code should be Structured, Consistent, Portable and Secure

In the comments, many additional improvements have been suggested, but there's one that has yet to be mentioned. When using htmlspecialchars() without specifying the character encoding, XSS attacks that use UTF-7 are possible.

Included in the post is an example to illustrate the point as well as a solution, a simple one involving the header() function, to help correct the problem and prevent bad things from happening.

Be sure to check out the comments for more great tips.

0 comments voice your opinion now!
security crosssitescripting character encoding attack htmlspecialchars security crosssitescripting character encoding attack htmlspecialchars


blog comments powered by Disqus

Similar Posts

Refulz.com: Special characters in Regular Expressions - Part 1

Padraic Brady's Blog: Nanosecond Scale Remote Timing Attacks On PHP Apps: Take Them Seriously?

Brian Moon's Blog: Responsible use of the $_REQUEST variable

Codewalkers.com: New Tutorial - Coding \"Best Practices\" - or at least \"Better Practices\"

Christian Wenz's Blog: SANS Top-20 Internet Security Attack Targets (2006 Annual Update)


Community Events











Don't see your event here?
Let us know!


release package install symfony2 unittest component composer hack application podcast series overview facebook language introduction framework code security opinion hhvm

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework