[Phpmyadmin-devel] guidelines for avoiding security pitfalls

Rouslan Placella rouslan at placella.com
Sun Apr 1 19:49:44 CEST 2012


On 01/04/12 13:11, Marc Delisle wrote:
> Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
>> Op 28 maart 2012 14:37 heeft Marc Delisle <marc at infomarc.info> het
>> volgende geschreven:
>>> Le 2012-03-28 04:53, Michal Čihař a écrit :
>>>> Hi
>>>>
>>>> Dne Tue, 27 Mar 2012 22:01:05 +0200
>>>> Dieter Adriaenssens <dieter.adriaenssens at gmail.com> napsal(a):
>>>>
>>>>> As discussed on the team meeting in February, I started creating a
>>>>> wiki page with some guidelines for avoiding security bugs [0].
>>>>> The page is not finished yet, I just set out some ideas, that I will
>>>>> work out in the next few days. Feel free to comment, improve or add
>>>>> guidelines as you see fit.
>>>>>
>>>>> [0] http://wiki.phpmyadmin.net/pma/Security_pitfalls
>>>>
>>>> Thanks, looks great so far!
>>>
>>> Yes, thanks. I'm wondering, are there places where we really use
>>> htmlentities() for protection?
>>
>> htmlentities() is not much used (see lower), shall we replace them all
>> by htmlspecialchars and drop the htmlentities() from the guidelines?
> 
> It would be more prudent to have a look at them, one by one, and see
> their exact purpose.

You'd use htmlentities() when you need to escape single quotes,
htmlspecialchars() doesn't do that.

E.g.:
$name = htmlentities("foo's bar", ENT_QUOTES);
echo "<input name='name' value='$name' />";

> Anyway, some of them are under libraries/tcpdf and some under /test.
> 
> In the PHP Architect guide to PHP security by one of the PHP core
> developers, I checked the chapter about XSS. I could not find a
> suggestion to use htmlentities(); however, htmlspecialchars() does not
> find all XSS, so they suggest using preg_replace() with some clever
> patterns.
> 
>>
>> Using htmlspecialchars() is sufficient to protect against XSS (and
>> possibly messing up of the html structure),
>> htmlentities() just converts more characters into their HTML character
>> entity equivalents (for example ü will become ü)
>>
>> Current occurences of escaping/sanitizing functions in PMA codebase:
>>
>> htmlentities() : 51
>> htmlspecialchars() : 1041
>> PMA_sanitize() : 40
>> PMA_sanitize_file() : 3
>>
>>> Also I think we should talk about PMA_sanitize().
>>
>> Yes, but it should not be used in all cases?
>>
> 
> Maybe, but it would be slower than just plain htmlspecialchars(). Also,
> with the default parameters of PMA_sanitize(), it just replaces "<" and
> ">" and takes care of our special formatting codes.
> 





More information about the Developers mailing list