PHP security - output escaping

Output escape

Another basis for web application security is to escape output or encode special characters to ensure that the original meaning remains unchanged. For example, O'Reilly needs to be escaped to O\'Reilly before being sent to the MySQL database. The backslash before the single quote means that the single quote is part of the data itself, not its original meaning.

The output escaping I am referring to is divided into three steps:

l Recognize the output

l           Output escaping

l                                                                                                                                                                                                                         It is necessary to escape only filtered data. Although escaping prevents many common security vulnerabilities, it is not a replacement for input filtering. Tainted data must first be filtered and then escaped.

When escaping output, you must first identify the output. Often, this is much simpler than recognizing input, as it relies on the actions you perform. For example, when recognizing client output, you can look for the following statements in your code:

echo
print
printf
<?=

As an application developer, you must know every place that outputs to external systems. They constitute the output.

Like filtering, the escaping process varies depending on the situation. Filtering is different for different types of data, and escaping is done differently depending on the system you're transferring the information to.

There are built-in functions available in PHP for escaping some common output targets, including clients, databases, and URLs. If you're going to write your own algorithm, it's important to be foolproof. It is necessary to find a reliable and complete list of special characters in the foreign system and how they are represented so that the data is preserved rather than translated.

The most common output target is the client, using htmlentities( ) is the best way to escape the data before sending it out. Like other string functions, its input is a string, which is processed and output. But using htmlentities( ) function is to specify its two optional parameters: the way to escape quotes (the second parameter) and the character set (the third parameter). The escaping method of quotation marks should be specified as ENT_QUOTES. Its purpose is to escape single quotation marks and double quotation marks at the same time. This is the most thorough. The character set parameter must match the character set used by the page.

In order to distinguish whether the data has been escaped, I still recommend defining a naming mechanism. For the escaped data output to the client, I use the $html array for storage. The data is first initialized into an empty array to save all filtered and escaped data.

CODE:

<?php
 
  $html = array(  );
  $html[&#39;username&#39;] =
htmlentities($clean[&#39;username&#39;], ENT_QUOTES, &#39;UTF-8&#39;);
  echo "<p>Welcome back,
{$html[&#39;username&#39;]}.</p>";
 
  ?>

Tips

htmlspecialchars() function and htmlentities() ) functions are basically the same, their parameter definitions are exactly the same, except that the escaping of htmlentities() is more thorough.

By outputting username to the client via $html['username'], you can ensure that the special characters will not be misinterpreted by the browser. If the username only contains letters and numbers, escaping is actually not necessary, but this reflects the principle of defense in depth. Escaping any output is a very good habit and can dramatically improve the security of your software.

Another common output destination is a database. If possible, you need to use PHP's built-in functions to escape the data in the SQL statement. For MySQL users, the best escape function is mysql_real_escape_string( ). If the database you are using does not have PHP's built-in escaping functions available, addslashes() is the last resort.

The following example illustrates the correct escaping techniques for MySQL database:

CODE:

<?php
 
  $mysql = array(  );
  $mysql[&#39;username&#39;] =
mysql_real_escape_string($clean[&#39;username&#39;]);
  $sql = "SELECT *
          FROM   profile
          WHERE  username =
&#39;{$mysql[&#39;username&#39;]}&#39;";
  $result = mysql_query($sql);
 
  ?>

以上就是PHP安全-输出转义的内容，更多相关内容请关注PHP中文网（www.php.cn）！