[Phpmyadmin-devel] guidelines for avoiding security pitfalls
Dieter Adriaenssens
dieter.adriaenssens at gmail.com
Sun Apr 29 15:34:20 CEST 2012
2012/4/1 Marc Delisle <marc at infomarc.info>:
> Le 2012-04-01 13:49, Rouslan Placella a écrit :
>> On 01/04/12 13:11, Marc Delisle wrote:
>>> Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
>>>> Op 28 maart 2012 14:37 heeft Marc Delisle <marc at infomarc.info> het
>>>> volgende geschreven:
>>>>> Le 2012-03-28 04:53, Michal Čihař a écrit :
>>>>>> Hi
>>>>>>
>>>>>> Dne Tue, 27 Mar 2012 22:01:05 +0200
>>>>>> Dieter Adriaenssens <dieter.adriaenssens at gmail.com> napsal(a):
>>>>>>
>>>>>>> As discussed on the team meeting in February, I started creating a
>>>>>>> wiki page with some guidelines for avoiding security bugs [0].
>>>>>>> The page is not finished yet, I just set out some ideas, that I will
>>>>>>> work out in the next few days. Feel free to comment, improve or add
>>>>>>> guidelines as you see fit.
>>>>>>>
>>>>>>> [0] http://wiki.phpmyadmin.net/pma/Security_pitfalls
>>>>>>
>>>>>> Thanks, looks great so far!
>>>>>
>>>>> Yes, thanks. I'm wondering, are there places where we really use
>>>>> htmlentities() for protection?
>>>>
>>>> htmlentities() is not much used (see lower), shall we replace them all
>>>> by htmlspecialchars and drop the htmlentities() from the guidelines?
>>>
>>> It would be more prudent to have a look at them, one by one, and see
>>> their exact purpose.
>>
>> You'd use htmlentities() when you need to escape single quotes,
>> htmlspecialchars() doesn't do that.
>
> From the PHP manual for htmlspecialchars(), we can use the ENT_QUOTES
> flag which does this:
> "'" (single quote) becomes ''' only when ENT_QUOTES is set.
I've added the ENT_QUOTES directive to the page and also added some
examples for escaping url's and encoding url parameter values.
>>
>> E.g.:
>> $name = htmlentities("foo's bar", ENT_QUOTES);
>> echo "<input name='name' value='$name' />";
>>
>>> Anyway, some of them are under libraries/tcpdf and some under /test.
>>>
>>> In the PHP Architect guide to PHP security by one of the PHP core
>>> developers, I checked the chapter about XSS. I could not find a
>>> suggestion to use htmlentities(); however, htmlspecialchars() does not
>>> find all XSS, so they suggest using preg_replace() with some clever
>>> patterns.
Do you have a link to that, or do you own a paper copy?
>>>>
>>>> Using htmlspecialchars() is sufficient to protect against XSS (and
>>>> possibly messing up of the html structure),
>>>> htmlentities() just converts more characters into their HTML character
>>>> entity equivalents (for example ü will become ü)
>>>>
>>>> Current occurences of escaping/sanitizing functions in PMA codebase:
>>>>
>>>> htmlentities() : 51
>>>> htmlspecialchars() : 1041
>>>> PMA_sanitize() : 40
>>>> PMA_sanitize_file() : 3
>>>>
>>>>> Also I think we should talk about PMA_sanitize().
>>>>
>>>> Yes, but it should not be used in all cases?
>>>>
>>>
>>> Maybe, but it would be slower than just plain htmlspecialchars(). Also,
>>> with the default parameters of PMA_sanitize(), it just replaces "<" and
>>> ">" and takes care of our special formatting codes.
>>>
>
>
>
> --
> Marc Delisle
> http://infomarc.info
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
--
Kind regards,
Dieter Adriaenssens
More information about the Developers
mailing list