Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Roshan Bhattarai's Blog:
How to filter user submitted data easily in PHP?
Aug 15, 2008 @ 14:31:59

On his blog, Roshan Bhattarai shares a few tips on keeping your application safe by filtering user-submitted data.

Yesterday, I saw one of my friend was working on the the contact form and was filtering the user input data(posted variables) individually. He was using a function in PHP to filter the input and using tedious approach while calling the filtering function for each variables with coding each of them in single line . Today, I’m going to show you how can you filter the posted variables easily using callback function in PHP.

He shows how to create a filter_data function (for removing HTML embedded in the data) and how to implement it around your data. It could be extended pretty easily to do more than one filtering method to protect your information even more.

tagged: submit user data filter htmlentities

Link:

Gareth Heyes' Blog:
htmlentities is badly designed
Nov 26, 2007 @ 16:23:00

Gareth Heyes has a quick new post to his blog today about the use of htmlentities and the false assumptions some developers have about it:

When someone uses htmlentities I've seen it time and time again that they expect that it filters variables from all XSS. This is wrong of course because the function requires a second parameter ENT_QUOTES which correctly replaces quote characters. Some developers aren't even aware that quotes can lead to XSS injection.

He reminds developers of the second parameter - the ENT_QUOTES parameter that correctly replaces quotes. Other people have mentions things in the comments as well like another optional parameter to force an encoding type and opinions about the function's use.

tagged: htmlentities design quote xss injection entquotes encoding htmlentities design quote xss injection entquotes encoding

Link:

Gareth Heyes' Blog:
htmlentities is badly designed
Nov 26, 2007 @ 16:23:00

Gareth Heyes has a quick new post to his blog today about the use of htmlentities and the false assumptions some developers have about it:

When someone uses htmlentities I've seen it time and time again that they expect that it filters variables from all XSS. This is wrong of course because the function requires a second parameter ENT_QUOTES which correctly replaces quote characters. Some developers aren't even aware that quotes can lead to XSS injection.

He reminds developers of the second parameter - the ENT_QUOTES parameter that correctly replaces quotes. Other people have mentions things in the comments as well like another optional parameter to force an encoding type and opinions about the function's use.

tagged: htmlentities design quote xss injection entquotes encoding htmlentities design quote xss injection entquotes encoding

Link:

Secunia:
Cisco Products PHP "htmlentities()" and "htmlspecialchars()" Buffer Overflows
Apr 26, 2007 @ 12:55:00

Cicso product users should check out this latest issue Secunia has released today - a problem with the htmlentities and htmlspecialchars functions that can lead to buffer overflows.

The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application.

Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected.

Products affected include the Network Analysis Modules (NAM) for Cisco 6500 switch, Cisco 7600 router/Branch Routers and the CiscoWorks Wireless LAN Solution Engine (WLSE) and CiscoWorks Wireless LAN Solution (among others, check out the advisory for a more complete list).

There are some patches that have been released to correct this issue (like the one for the Cisco Unified Application Environment) but others are still yet to come. They recommend limiting access to only trusted IPs and devices only to reduce the risk of the problem being exploited.

tagged: cisco buffer overflow htmlspecialchars htmlentities advisory cisco buffer overflow htmlspecialchars htmlentities advisory

Link:

Secunia:
Cisco Products PHP "htmlentities()" and "htmlspecialchars()" Buffer Overflows
Apr 26, 2007 @ 12:55:00

Cicso product users should check out this latest issue Secunia has released today - a problem with the htmlentities and htmlspecialchars functions that can lead to buffer overflows.

The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application.

Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected.

Products affected include the Network Analysis Modules (NAM) for Cisco 6500 switch, Cisco 7600 router/Branch Routers and the CiscoWorks Wireless LAN Solution Engine (WLSE) and CiscoWorks Wireless LAN Solution (among others, check out the advisory for a more complete list).

There are some patches that have been released to correct this issue (like the one for the Cisco Unified Application Environment) but others are still yet to come. They recommend limiting access to only trusted IPs and devices only to reduce the risk of the problem being exploited.

tagged: cisco buffer overflow htmlspecialchars htmlentities advisory cisco buffer overflow htmlspecialchars htmlentities advisory

Link:


Trending Topics: