Security Resources

View unanswered posts | View active topics

Board index » Programming » PHP - Security

All times are UTC - 5 hours

Moderator: General Moderators

Page 3 of 3

[ 35 posts ]

Go to page Previous 1, 2, 3

Print view

Previous topic | Next topic

Author

Message

Mordred

Post subject: Re: Security Resources

Posted: Wed Mar 14, 2012 10:10 am

DevNet Resident

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria

Christopher wrote:

For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?

Oh yes, for <5.4.0 surely. Did you know about this?

You should use a wrapper function anyway, who wants to type so much code every time? Inside, something like:

Syntax: [ Download ] [ Hide ]

function HtmlEscape($s) {

mb_substitute_character("none");

$s = mb_convert_encoding($s, 'UTF-8', 'UTF-8');

return htmlspecialchars($s, ENT_QUOTES, 'UTF=8');

}

Top

Christopher

Post subject: Re: Security Resources

Posted: Wed Mar 14, 2012 4:23 pm

Site Administrator

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 12785
Location: New York, NY, US

Mordred wrote:

Christopher wrote:

For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?

Oh yes, for <5.4.0 surely. Did you know about this?

Excellent information!

Can you explain what is going on in these two lines?

Syntax: [ Download ] [ Hide ]

mb_substitute_character("none");

$s = mb_convert_encoding($s, 'UTF-8', 'UTF-8');

_________________
(#10850)

Top

Mordred

Post subject: Re: Security Resources

Posted: Thu Mar 15, 2012 3:27 am

DevNet Resident

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria

"Convert the string from utf-8 to utf-8 making sure you remove any character sequences that are not valid for utf-8"
I must add that this must be accompanied by strict enforcement of utf-8 encoding to the client to avoid legitimate clients sending you their weird Elbonian encoding and getting their data mangled. This is not related to security, just to the proper functioning of the site. An attacker will not send you well-formed utf-8 because he's a nice guy, that's why you don't trust him to, and that's why you force clean his input.

Top

ragax

Post subject: Re: Security Resources

Posted: Thu Jul 25, 2013 8:48 pm

Forum Commoner

Joined: Thu Dec 15, 2011 2:40 pm
Posts: 85
Location: Nelson, NZ

Quote:

Chris Shiflett's Security Workbook
Excellent PDF covering security in PHP.

Is anyone aware of another good book on the topic? Yes Chris's book is excellent, but I've been wondering if there have been new developments since it came out in 2005, and I've been feeling hungry for more as I get back in the saddle to tackle new projects.

Top

Maugrim_The_Reaper

Post subject: Re: Security Resources

Posted: Tue Jan 21, 2014 5:16 am

DevNet Master

Joined: Tue Nov 02, 2004 6:43 am
Posts: 2704
Location: Ireland

http://phpsecurity.readthedocs.org/en/latest/

Disclosure: I wrote it.

Top

Page 3 of 3

[ 35 posts ]

Go to page Previous 1, 2, 3

Board index » Programming » PHP - Security

All times are UTC - 5 hours

Who is online

Users browsing this forum: No registered users and 4 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to: