security bug in PHP-server-1.1
Norman Rasmussen
norman at rasmussen.co.za
Wed Apr 11 13:33:11 PDT 2007
On 4/11/07, Niels Berkers <niels at quotar.com> wrote:
> Norman Rasmussen wrote:
> > Agreed! You never know when someone might find a way to inject unsafe
> > data into your database. It's much safer to escape it as you output
> > it. (Also you might output it in different places, requiring
> > different escaping)
> Sorry ... can't believe im reading this. Any software security
> specialist would disagree.
Huh? Sorry your response confuses me.
You can't escape data (for output) when it arrives because you could
output it in any form. (You only need to escape it as you add it to
the database, if you're database layer doesn't support parameters (or
some other escaping mechanism)). You need to escape the data as you
display it _in the display module_- so that you know how to escape it.
If you only escape data as it enters the system, then you can't trust
that there won't be a loophole somewhere that allows unescaped data to
enter the database - that would be displayed to the user on a normal
page (it's impossible to secure all incoming points).
If you escape as you render data (including if you have to - dynamic
sql - yegh). Then you escape data everywhere you display it. So you
remain in control of _all_ the points in the system where data is
rendered to the user, and can ensure that it's safe.
I really hope you misread my statement, and that you don't think that
output escaping is not worth it, and that input escaping is the
be-all-and-end-all.
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the Dev
mailing list