Menu
I have a small confusion. When I type on Google, almost all articles suggest Filter input, escape output. If I didn't confuse the terms escaping and filtering all my life, it should be the opposite.
You get loads of articles which does something like
$username = htmlentities(htmlspecialchars(strip_tags($_POST['username')));
and suggest doing it.
We should not filter input. We should escape it (previously we did it with mysql_real_escape_string, nowadays prepared statements handle them for us.) We should insert user's submitted data to database as-is, without changing it using functions like htmlspecialchars. We should always keep the original input in our database, so htmlspecialchars during input is wrong. HTML is not harmful for database.
We should filter output, so malicious code (html, js, whatever) won't run on the browser. This is called XSS filtering, not XSS escaping. For example, {{{ $var }}} on Laravel 4 is called as XSS filtering and this should always be used on user submitted content's output.
If the statement Filter input escape output is correct, why it is not mysql_real_filter_string() and preventing XSS isn't being called as XSS escaping?
Also, ircmaxell once said:
Filtering is not about preventing security vulnerabilities, it's about not populating your database with garbage. If you're expecting a date, make sure it at least looks like a date prior to storing it.
This is called validation, and you can't rely on validation only. (Especially on older versions of PHP) You need to both escape and validate input. Filtering may not be used for security vulnerabilities but escaping is.
Well, this sums my confusion. Can someone explain this to me?
341
Securing output is the process of escaping output data. Escaping means stripping out unwanted data, like malformed HTML or script tags. Whenever you're rendering data, make sure to properly escape it. Escaping output prevents XSS (Cross-site scripting) attacks.
User input is a string. Escaping is done when you want to insert some characters into some HTML / SQL / Whatever code which insists on interpreting some characters into special functionalities.
Looks like my confusion was simple. I thought output layer was the layer when we started using echo's, such as view layer.
According to Anthony Ferrara, output is the layer when data leaves your application, and input is the layer when data enters your application.
As such, Input layer is not only limited to user provided content, but reading from config files, reading from file system, retrieving data from 3rd party API's etc. are all considered as Input.
Output is not limited to echo or print on the view layer. SQL queries also count as output, because data leave our application and enter database's scope. As such, writing to a file also count as output, doing a shell command also count as output.
So basically, querying database is Output, while retrieving results from the database is Input.
When you think like that, Filter input, escape output sounds correct. If anybody else were confused like me, this really makes sense.
167
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
