PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.

Skip to content

Security Resources

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post a reply

Re: Security Resources

Postby Mordred » Wed Mar 14, 2012 10:10 am

Christopher wrote:For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?

Oh yes, for <5.4.0 surely. Did you know about this?

You should use a wrapper function anyway, who wants to type so much code every time? Inside, something like:

Syntax: [ Download ] [ Hide ]
function HtmlEscape($s) {
mb_substitute_character("none");
$s = mb_convert_encoding($s, 'UTF-8', 'UTF-8');
return htmlspecialchars($s, ENT_QUOTES, 'UTF=8');
}
Things need not have happened to be true. Tales and dreams are the shadow-truths that will endure when mere facts are dust and ashes, and forgot.
Image
My security blog. (not updated lately)
The Unexpected SQL Injection (article) (.txt, cause the .html version is broken)
Password hashing howto (and how not to) (article)
Salt strengths (article)
User avatar
Mordred
DevNet Resident
 
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria
Top

Re: Security Resources

Postby Christopher » Wed Mar 14, 2012 4:23 pm

Mordred wrote:
Christopher wrote:For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?

Oh yes, for <5.4.0 surely. Did you know about this?
Excellent information!

Can you explain what is going on in these two lines?
Syntax: [ Download ] [ Hide ]
mb_substitute_character("none");
$s = mb_convert_encoding($s, 'UTF-8', 'UTF-8');
(#10850)
User avatar
Christopher
Site Administrator
 
Posts: 12213
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US
Top

Re: Security Resources

Postby Mordred » Thu Mar 15, 2012 3:27 am

"Convert the string from utf-8 to utf-8 making sure you remove any character sequences that are not valid for utf-8"
I must add that this must be accompanied by strict enforcement of utf-8 encoding to the client to avoid legitimate clients sending you their weird Elbonian encoding and getting their data mangled. This is not related to security, just to the proper functioning of the site. An attacker will not send you well-formed utf-8 because he's a nice guy, that's why you don't trust him to, and that's why you force clean his input.
Things need not have happened to be true. Tales and dreams are the shadow-truths that will endure when mere facts are dust and ashes, and forgot.
Image
My security blog. (not updated lately)
The Unexpected SQL Injection (article) (.txt, cause the .html version is broken)
Password hashing howto (and how not to) (article)
Salt strengths (article)
User avatar
Mordred
DevNet Resident
 
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria
Top
Previous
Post a reply

Return to PHP - Security

Who is online

Users browsing this forum: No registered users and 4 guests