Simple PHP user input question

[KahunaHube]

Is it common practice to escape the input that is taken from users? For example if the input was "hello "john doh"". escaping would turn this line into "hello \"john\"doh"

for security reasons? And then parse the escapes upon outputting the input?

Thanks!
-Hubert

 

[notfred]

Why would you do that?

I couls see if you were passing it as an argument to a command line utility or something, but if you're jsut going to spit it back out as output, what for?

Escape things if there's a reason to, not just for the hell of it.

 

[KahunaHube]

Originally posted by: notfred
Why would you do that?

I couls see if you were passing it as an argument to a command line utility or something, but if you're jsut going to spit it back out as output, what for?

Escape things if there's a reason to, not just for the hell of it.

i finished this php book and in it it escaped all the input in the case that someone would try to input some sort of harmful command. The guess I have is that any input can be harmful, therefore escape all input.

Does this make more sense?

 

[Barnaby W. Füi]

For inserting into databases and stuff. addslashes().

For html, urlencode (I think - I'm too lazy to look right now)

For shell stuff, there are some but I forget. shellescapeargs() or something like that.

However, you don't need to escape strings all of the time. They can't just magically haxor your script by putting in quotes and stuff, there has to be a point where that string goes somewhere else that interprets that badly.

You know you can search the php really easily right? php.net/searchphrase. For example. http://php.net/strings should take you to the strings section of the manual and show all string functions on the left.

 

[Barnaby W. Füi]

Originally posted by: KahunaHube
The guess I have is that any input can be harmful, therefore escape all input.

Nope!

(trying to be a little more specific than my last post 😛)

 

[notfred]

I dont write PHP, but think of a situation like this (written in as simple perl as I can... hopefully it's understandable to a php programmer):

#!/usr/bin/perl
use CGI qw🙂standard);
$name = param("name_from_form");
print "Content-Type: text/html\n\n";
print "Hello $name, welcome to my webpage!"
exit;

There's absolutely no possible way that that input could be harmful. Now, if it was:

#!/usr/bin/perl
use CGI qw🙂standard);
$dir = param("name_from_form");
$dir = `ls $dir`;
print "Content-Type: text/html\n\n";
print "Here is your directory listing: $dir";
exit;

You see why pipes and semicolons and things become dangerous.

 

[KahunaHube]

ahh ok. I get it now thanks guys 🙂

the book i was reading was about php/mysql 🙂

so ima gonna escape all the crap that gets into my db, and unescape it later when i output!

THansk!
-Hubert

 

[Barnaby W. Füi]

Originally posted by: notfred
I dont write PHP, but think of a situation like this (written in as simple perl as I can... hopefully it's understandable to a php programmer):

#!/usr/bin/perl
use CGI qw🙂standard);
$name = param("name_from_form");
print "Content-Type: text/html\n\n";
print "Hello $name, welcome to my webpage!"
exit;

There's absolutely no possible way that that input could be harmful. Now, if it was:

Depends on your definition of harmful. 😉 They could put <a href="#" onmouseover="alert('You got haxored!')">Hello</a>... or any other fun javascript/html.

 

[notfred]

Originally posted by: BingBongWongFooey

Originally posted by: notfred
I dont write PHP, but think of a situation like this (written in as simple perl as I can... hopefully it's understandable to a php programmer):

#!/usr/bin/perl
use CGI qw🙂standard);
$name = param("name_from_form");
print "Content-Type: text/html\n\n";
print "Hello $name, welcome to my webpage!"
exit;

There's absolutely no possible way that that input could be harmful. Now, if it was:

Depends on your definition of harmful. 😉 They could put <a href="#" onmouseover="alert('You got haxored!')">Hello</a>... or any other fun javascript/html.

Well, yeah, but I really don't care if they harm thier own web browser 🙂

 

[Barnaby W. Füi]

Originally posted by: notfred

Originally posted by: BingBongWongFooey

Originally posted by: notfred
I dont write PHP, but think of a situation like this (written in as simple perl as I can... hopefully it's understandable to a php programmer):

#!/usr/bin/perl
use CGI qw🙂standard);
$name = param("name_from_form");
print "Content-Type: text/html\n\n";
print "Hello $name, welcome to my webpage!"
exit;

There's absolutely no possible way that that input could be harmful. Now, if it was:

Depends on your definition of harmful. 😉 They could put <a href="#" onmouseover="alert('You got haxored!')">Hello</a>... or any other fun javascript/html.

Well, yeah, but I really don't care if they harm thier own web browser 🙂

The'll harm everyone's if its some sort of public thingie where you can post stuff for everyone else to see.

 

[notfred]

Originally posted by: BingBongWongFooey

Originally posted by: notfred

Originally posted by: BingBongWongFooey

Originally posted by: notfred
I dont write PHP, but think of a situation like this (written in as simple perl as I can... hopefully it's understandable to a php programmer):

#!/usr/bin/perl
use CGI qw🙂standard);
$name = param("name_from_form");
print "Content-Type: text/html\n\n";
print "Hello $name, welcome to my webpage!"
exit;

There's absolutely no possible way that that input could be harmful. Now, if it was:

Depends on your definition of harmful. 😉 They could put <a href="#" onmouseover="alert('You got haxored!')">Hello</a>... or any other fun javascript/html.

Well, yeah, but I really don't care if they harm thier own web browser 🙂

The'll harm everyone's if its some sort of public thingie where you can post stuff for everyone else to see.

Maybe I didn't make the perl simple enough for you to understand it 😉

 

[Barnaby W. Füi]

I'm still trying to perfect hello world, take it slowly.