doubledee Posted February 28, 2012 Share Posted February 28, 2012 On my website, I have Sticky Forms that use the following style code... <input id="firstName" name="firstName" type="text" maxlength="30" value="<?php if(isset($firstName)){echo htmlspecialchars($firstName, ENT_QUOTES);} ?>" /><!-- Sticky Field --> Do I need to use htmlspecialchars($firstName, ENT_QUOTES); anytime I output data to the screen?? For example, in this code do I need to wrap $username?? echo ' <div class="userInfo"> <a href="#" class="username"> <strong>' . $username . '</strong> </a>'; Debbie Quote Link to comment Share on other sites More sharing options...
trq Posted February 28, 2012 Share Posted February 28, 2012 That would completely depend on what $username contains and what context your displaying it in. Quote Link to comment Share on other sites More sharing options...
doubledee Posted February 29, 2012 Author Share Posted February 29, 2012 That would completely depend on what $username contains and what context your displaying it in. The context is having User Details along side any Comments a User posts on my site. (Just like how it works on PHPFreaks.) <username> <user's picture> <user's location> <# of posts> <user's comments> Does that help? Debbie Quote Link to comment Share on other sites More sharing options...
kicken Posted February 29, 2012 Share Posted February 29, 2012 If the original source of the data is untrusted (ie, was typed in by a user) then before outputting it in your HTML yes, you need to escape it using htmlentities or htmlspecialchars (either will work fine). Quote Link to comment Share on other sites More sharing options...
doubledee Posted February 29, 2012 Author Share Posted February 29, 2012 If the original source of the data is untrusted (ie, was typed in by a user) then before outputting it in your HTML yes, you need to escape it using htmlentities or htmlspecialchars (either will work fine). The items above would be output in my "article.php" script. However that data was originally entered when the User registered, and in the "Create an Account" form I have this code... <!-- Username --> <label for="username"><b>*</b>Username:<span class="fieldRequirements">(Must be 8-30 characters.)</span></label> <input id="username" name="username" type="text" maxlength="30" value="<?php if(isset($username)){echo htmlspecialchars($username, ENT_QUOTES);} ?>" /><!-- Sticky Field --> <?php if (!empty($errors['username'])){ echo '<span class="error">' . $errors['username'] . '</span>'; } ?> Shouldn't that "sanitize" the Username so it is safe when I output it in "article.php"?? Debbie Quote Link to comment Share on other sites More sharing options...
creata.physics Posted February 29, 2012 Share Posted February 29, 2012 Yes. you sanitized username and entered it into the db, so it's already clean when outputting to your articles.php page. Quote Link to comment Share on other sites More sharing options...
Psycho Posted February 29, 2012 Share Posted February 29, 2012 Yes. you sanitized username and entered it into the db, so it's already clean when outputting to your articles.php page. Sanitizing input for the purpose of saving in the database does not make that content "safe" to display in a web page. However that data was originally entered when the User registered, and in the "Create an Account" form I have this code... <!-- Username --> <label for="username"><b>*</b>Username:<span class="fieldRequirements">(Must be 8-30 characters.)</span></label> <input id="username" name="username" type="text" maxlength="30" value="<?php if(isset($username)){echo htmlspecialchars($username, ENT_QUOTES);} ?>" /><!-- Sticky Field --> <?php if (!empty($errors['username'])){ echo '<span class="error">' . $errors['username'] . '</span>'; } ?> Shouldn't that "sanitize" the Username so it is safe when I output it in "article.php"?? That code is only escaping the content for the purposes of the "stikiness" of your form. That has no bearing on how you might use the saved value in other places (as you proposed above). As kicken already stated, (you know, I use the phrase "as already stated" a LOT with you) if the data came from the user you need to treat it as "untrusted" and always escape it based upon the method you are using it. This include in DB queries, HTML output, etc. Even if you were outputting content to a CSV file you need to properly escape it so that a rogue comma in the data doesn't corrupt the file. I'll also add that even if you are, currently, restricting usernames to certain characters that wouldn't cause a problem being output to HTML, it is still a good practice to escape it anyway. If you were to decide later that you were too restrictive in your rules for usernames you wouldn't want to hunt through your code to find all the places that it is used in output. Quote Link to comment Share on other sites More sharing options...
doubledee Posted March 1, 2012 Author Share Posted March 1, 2012 That code is only escaping the content for the purposes of the "stikiness" of your form. That has no bearing on how you might use the saved value in other places (as you proposed above). Yeah, that dawned on me last night... As kicken already stated, (you know, I use the phrase "as already stated" a LOT with you) That is why YOU are a "guru" and I am not!!! Being a newbie means that everything you teach me doesn't always stick the first time... if the data came from the user you need to treat it as "untrusted" and always escape it based upon the method you are using it. This include in DB queries, HTML output, etc. Even if you were outputting content to a CSV file you need to properly escape it so that a rogue comma in the data doesn't corrupt the file. I'll also add that even if you are, currently, restricting usernames to certain characters that wouldn't cause a problem being output to HTML, it is still a good practice to escape it anyway. If you were to decide later that you were too restrictive in your rules for usernames you wouldn't want to hunt through your code to find all the places that it is used in output. So do you have an approach to sanitizing data for output? Maybe run everything through a sanitizeMe() function before you display things, or do you just hard-code on an as-needed basis?! Debbie Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 1, 2012 Share Posted March 1, 2012 As kicken already stated, (you know, I use the phrase "as already stated" a LOT with you) That is why YOU are a "guru" and I am not!!! Being a newbie means that everything you teach me doesn't always stick the first time... Having a fancy image next to my name does not impart special comprehension skills. And, that's what this is - taking the time to comprehend what was provided. kicken's response was short, concise and was written in plain English not "code speak" that a "newbie" might get confused by. So do you have an approach to sanitizing data for output? Maybe run everything through a sanitizeMe() function before you display things, or do you just hard-code on an as-needed basis?! Why should I respond to that when, again, kicken has already answered it. If the original source of the data is untrusted (ie, was typed in by a user) then before outputting it in your HTML yes, you need to escape it using htmlentities or htmlspecialchars (either will work fine). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.