WebApp Sec mailing list archives

RE: php to do input validation...

From: "Andrew van der Stock" <vanderaj () greebo net>
Date: Thu, 3 Feb 2005 20:26:49 +1100

Yes, if it is done correctly. Certainly, functions which are available for
newer apps are always appreciated as far as I'm concerned, such as
reasonable XSS controls, validation functions and classes as well as
optional HTTP filters like mod_security or URLscan implements.

Other successful by default controls:

.NET Framework 1.1 SP1 prevents a lot of URL-based XSS due to controls on
acceptable characters. This helped prevent split session attacks. 1.1 is
simply not vulnerable unless you *really* go out of your way

J2EE when used with Struts controls a lot of output XSS as long as you use
the most common output beans (bean:write), although older or non-Struts code
doesn't benefit from this.

So API's which can be transparently made safe would be a boon.

In PHP's case, something which escapes:

echo and print
printf and friends
?>=$foo<?php
?> ... $foo ... <?php (mostly used in eval()'d code)

And others by default would be good. Web app code which breaks under this
model is usually trying to output HTML binary attachments, which is better
done using streams anyway.

Thanks,
Andrew

-----Original Message-----
From: Matthew Wirges [mailto:wirges () purdue edu]
Sent: Wednesday, 2 February 2005 12:20 PM
To: webappsec () securityfocus com
Subject: php to do input validation...

I thought this was interesting...

http://news.php.net/php.internals/14474

Turns out that there may be input filtering in PHP's future. Maybe even
in the next release of 5.x.  Read that thread for more information.

My question for webappsec, is do you think its a good idea for a
programming language to add this sort of functionality?  Does it coddle
users?  Does it give a false sense of security (especially if they
aren't implemented right)?  Or do the positives outweigh the negatives?

Cheers,
-matt
--
Matthew Wirges
IT Security and Policy Analyst
Office of the Vice President for Information Technology
Security and Privacy, Purdue University
wirges () purdue edu :: (765)49-62307
PGP/GPG: EB69 701E EECC 5DD0 E604  0EE0 1346 74BF 5DBC 5ADB

Current thread:

php to do input validation... Matthew Wirges (Feb 02)
- Re: php to do input validation... Kevin Carlson (Feb 03)
- Re: php to do input validation... Griffiths, Ian (Feb 03)
- RE: php to do input validation... Andrew van der Stock (Feb 03)
- Re: php to do input validation... Darren Bounds (Feb 03)