security bug in PHP-server-1.1

[Carl Howells]

Niels Berkers wrote:
> for those who like to clean incomming content before your server is 
> hacked.

You seem to attribute magical hacking powers to data.  If *receiving* 
data can hack your system, you need to install a version of PHP without 
those buffer overflows.  There's nothing you can do about it in PHP.

Assuming your version of PHP doesn't have any exploitable buffer 
overflows, the received data can't do anything to your system by itself. 
  You need to do something with it, first.

The two main avenues of attack are SQL injection and semantic display 
character injection.

To protect against SQL injection, you sanitize data before putting it 
into the database.  As Jonathan points out, Pear, and every other modern 
database adapter, does that automatically if you use the adapter to 
build your statements for you properly, instead of just appending strings.

For dealing with display injection attacks (html, javascript, whatever 
you're generating dynamically based on user input), you sanitize the 
data just before displaying it.  You don't sanitize it any earlier, 
because the rules for correct sanitization depend on the context.  Using 
the data in javascript, in a tag attribute, or as the contents of a 
<div> tag each require different escaping methods.  It's quite common to 
want to use the same data in multiple places.  Because of that, escaping 
the data any earlier than display-time will likely lead to bugs.

Just remember:  data can't hack you by itself.  You have to do something 
wrong with it, first.

Carl