PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Dec 22, 2014 4:49 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 35 posts ]  Go to page Previous  1, 2, 3
Author Message
 Post subject: Re: Security Resources
PostPosted: Wed Mar 14, 2012 10:10 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Christopher wrote:
For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?

Oh yes, for <5.4.0 surely. Did you know about this?

You should use a wrapper function anyway, who wants to type so much code every time? Inside, something like:

Syntax: [ Download ] [ Hide ]
function HtmlEscape($s) {
mb_substitute_character("none");
$s = mb_convert_encoding($s, 'UTF-8', 'UTF-8');
return htmlspecialchars($s, ENT_QUOTES, 'UTF=8');
}


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Wed Mar 14, 2012 4:23 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 12723
Location: New York, NY, US
Mordred wrote:
Christopher wrote:
For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?

Oh yes, for <5.4.0 surely. Did you know about this?
Excellent information!

Can you explain what is going on in these two lines?
Syntax: [ Download ] [ Hide ]
mb_substitute_character("none");
$s = mb_convert_encoding($s, 'UTF-8', 'UTF-8');

_________________
(#10850)


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Thu Mar 15, 2012 3:27 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
"Convert the string from utf-8 to utf-8 making sure you remove any character sequences that are not valid for utf-8"
I must add that this must be accompanied by strict enforcement of utf-8 encoding to the client to avoid legitimate clients sending you their weird Elbonian encoding and getting their data mangled. This is not related to security, just to the proper functioning of the site. An attacker will not send you well-formed utf-8 because he's a nice guy, that's why you don't trust him to, and that's why you force clean his input.


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Thu Jul 25, 2013 8:48 pm 
Offline
Forum Commoner
User avatar

Joined: Thu Dec 15, 2011 2:40 pm
Posts: 85
Location: Nelson, NZ
Quote:
Chris Shiflett's Security Workbook
Excellent PDF covering security in PHP.


Is anyone aware of another good book on the topic? Yes Chris's book is excellent, but I've been wondering if there have been new developments since it came out in 2005, and I've been feeling hungry for more as I get back in the saddle to tackle new projects.


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Tue Jan 21, 2014 5:16 am 
Offline
DevNet Master
User avatar

Joined: Tue Nov 02, 2004 6:43 am
Posts: 2704
Location: Ireland
http://phpsecurity.readthedocs.org/en/latest/

Disclosure: I wrote it.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 35 posts ]  Go to page Previous  1, 2, 3

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group