[Phpmyadmin-devel] guidelines for avoiding security pitfalls

Dieter Adriaenssens dieter.adriaenssens at gmail.com
Sat Mar 31 17:02:19 CEST 2012

Op 28 maart 2012 14:37 heeft Marc Delisle <marc at infomarc.info> het
volgende geschreven:
> Le 2012-03-28 04:53, Michal Čihař a écrit :
>> Hi
>> Dne Tue, 27 Mar 2012 22:01:05 +0200
>> Dieter Adriaenssens <dieter.adriaenssens at gmail.com> napsal(a):
>>> As discussed on the team meeting in February, I started creating a
>>> wiki page with some guidelines for avoiding security bugs [0].
>>> The page is not finished yet, I just set out some ideas, that I will
>>> work out in the next few days. Feel free to comment, improve or add
>>> guidelines as you see fit.
>>> [0] http://wiki.phpmyadmin.net/pma/Security_pitfalls
>> Thanks, looks great so far!
> Yes, thanks. I'm wondering, are there places where we really use
> htmlentities() for protection?

htmlentities() is not much used (see lower), shall we replace them all
by htmlspecialchars and drop the htmlentities() from the guidelines?

Using htmlspecialchars() is sufficient to protect against XSS (and
possibly messing up of the html structure),
htmlentities() just converts more characters into their HTML character
entity equivalents (for example ü will become ü)

Current occurences of escaping/sanitizing functions in PMA codebase:

htmlentities() : 51
htmlspecialchars() : 1041
PMA_sanitize() : 40
PMA_sanitize_file() : 3

> Also I think we should talk about PMA_sanitize().

Yes, but it should not be used in all cases?

Kind regards,

Dieter Adriaenssens

More information about the Developers mailing list