|
Posted by Sebastian Lisken on 01/15/08 02:24
Hi, I'm in the process of securing a PHP/MySQL website by making sure
all strings that can at least possibly be manipulated from the outside
are passed through the appropriate escaping functions and/or validated
against patterns. In the most canonical cases, SQL strings supplied from
the outside are handled by mysql_real_escape_string, HTML snippets by
htmlentities, GET parameters in query strings by rawencodeurl. What I'm
unsure about is whether SID needs to be treated. It's the variable used
most often, so I guess I could improve efficiency a bit by not adding
an escaping functions in snippets such as
<a href="<? echo htmlentities($_SERVER['PHP_SELF']) . "?" . SID; ?>">
Is there a known scenario in which an attacker could set SID to contain,
say, HTML that could then be used in an XSS attack?
Thanks for your opinions
Sebastian Lisken
[Back to original message]
|