[Phpmyadmin-devel] guidelines for avoiding security pitfalls

Marc Delisle marc at infomarc.info
Sun Apr 1 23:39:29 CEST 2012 

Le 2012-04-01 13:49, Rouslan Placella a écrit :
> On 01/04/12 13:11, Marc Delisle wrote:
>> Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
>>> Op 28 maart 2012 14:37 heeft Marc Delisle <marc at infomarc.info> het
>>> volgende geschreven:
>>>> Le 2012-03-28 04:53, Michal Čihař a écrit :
>>>>> Hi
>>>>>
>>>>> Dne Tue, 27 Mar 2012 22:01:05 +0200
>>>>> Dieter Adriaenssens <dieter.adriaenssens at gmail.com> napsal(a):
>>>>>
>>>>>> As discussed on the team meeting in February, I started creating a
>>>>>> wiki page with some guidelines for avoiding security bugs [0].
>>>>>> The page is not finished yet, I just set out some ideas, that I will
>>>>>> work out in the next few days. Feel free to comment, improve or add
>>>>>> guidelines as you see fit.
>>>>>>
>>>>>> [0] http://wiki.phpmyadmin.net/pma/Security_pitfalls
>>>>>
>>>>> Thanks, looks great so far!
>>>>
>>>> Yes, thanks. I'm wondering, are there places where we really use
>>>> htmlentities() for protection?
>>>
>>> htmlentities() is not much used (see lower), shall we replace them all
>>> by htmlspecialchars and drop the htmlentities() from the guidelines?
>>
>> It would be more prudent to have a look at them, one by one, and see
>> their exact purpose.
> 
> You'd use htmlentities() when you need to escape single quotes,
> htmlspecialchars() doesn't do that.

>From the PHP manual for htmlspecialchars(), we can use the ENT_QUOTES
flag which does this:
"'" (single quote) becomes ''' only when ENT_QUOTES is set.

> 
> E.g.:
> $name = htmlentities("foo's bar", ENT_QUOTES);
> echo "<input name='name' value='$name' />";
> 
>> Anyway, some of them are under libraries/tcpdf and some under /test.
>>
>> In the PHP Architect guide to PHP security by one of the PHP core
>> developers, I checked the chapter about XSS. I could not find a
>> suggestion to use htmlentities(); however, htmlspecialchars() does not
>> find all XSS, so they suggest using preg_replace() with some clever
>> patterns.
>>
>>>
>>> Using htmlspecialchars() is sufficient to protect against XSS (and
>>> possibly messing up of the html structure),
>>> htmlentities() just converts more characters into their HTML character
>>> entity equivalents (for example ü will become ü)
>>>
>>> Current occurences of escaping/sanitizing functions in PMA codebase:
>>>
>>> htmlentities() : 51
>>> htmlspecialchars() : 1041
>>> PMA_sanitize() : 40
>>> PMA_sanitize_file() : 3
>>>
>>>> Also I think we should talk about PMA_sanitize().
>>>
>>> Yes, but it should not be used in all cases?
>>>
>>
>> Maybe, but it would be slower than just plain htmlspecialchars(). Also,
>> with the default parameters of PMA_sanitize(), it just replaces "<" and
>> ">" and takes care of our special formatting codes.
>>



-- 
Marc Delisle
http://infomarc.info

More information about the Developers mailing list