Reputation: 1315
Is htmlspecialchars() safe enough?
The user input is like this
$user_input = htmlspecialchars($_GET['$user_input']);
According to PHP.net:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
"'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
But what about $? For example the code is like this:
echo "Some cool text $user_input";
Now lets say user input is $secretCode so:$_GET['$user_input'] = "$secretCode";
Will the code then not echo the $secretCode?
Also what about this. Lets assume the code is like this:
$html = <<<EOF <head>.... EOF;
What if the input is $_GET['$user_input'] = "EOF;"; Won't this quit the string?
Upvotes: 1
Views: 2459
Answers (3)
Reputation: 116100
Constant strings in your PHP code will be parsed like that, but strings that come from another source are not.
So in the line below, the variable $world will be expanded:
$var = "Hello $world";
In the line below, the exact value is used as it is read from (probably) a database. Even if the field 'example' world contain the text 'Hello $world', the variable $world would not be expanded.
$var = $row['example'];
This is normal PHP behaviour and is not related per se to htmlspecialchars.
Upvotes: 0
Reputation: 522024
You're assuming a level interpretation that doesn't exist. If you write string literals like this:
$foo = 'bar';
$baz = "Hello $foo";
Then yes, $foo will be interpolated into the string. That is because it is explicitly written as a string literal in PHP source code.
On the other hand:
$foo = 'bar';
$baz = $_GET['var'];
Under no circumstances whatsoever will anything be interpolated here. Nor here:
$foo = <<<EOL
$_GET[var]
EOL;
$_GET['var'] can contain whatever it wants to, it is of no concern. PHP does not recursively evaluate all values over and over to see if there may be something that can be interpolated. There is no security issue here.
To provoke any of this recursive behaviour, you'd have to explicitly construct PHP source code as a string and then explicitly evaluate it:
$code = <<<EOL
$foo = 'bar';
echo "Hello $_GET[var]";
EOL;
// $code is now, say:
// $foo = 'bar';
// echo "Hello $foo";
eval($code);
Unless you do something like this (and please, never use eval), nothing will happen.
For embedding arbitrary text inside of HTML, htmlspecialchars is fine to escape characters which have a special meaning in HTML; yes, it's secure.
Upvotes: 2
Reputation: 3928
php will not parse variables inside variables itself, because the variable is not clearly written in your php code, php dont parse variables at this level. so with this in mind the following examples will fail and will output some text and $bar and not some text and test
$_GET['foo'] = '$bar';
$baz = $_GET['foo'];
$bar = 'test';
echo "some text and $baz";
// some text and $bar
Upvotes: 0
Related Questions
- Htmlspecialchars not needed in this case?
- When used correctly, is htmlspecialchars sufficient for protection against all XSS?
- Using htmlspecialchars and strip_tags for more security
- Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
- Should I be using htmlspecialchars?
- Using htmlspecialchars() in php/html the correct and professional way
- Is using htmlspecialchars() sufficient in all situations?
- Is there a security leak using htmlspecialchars and not encoding &?
- Is php htmlspecialchars safety for JS?
- avoiding XSS vulnerability by putting HTMLSPECIALCHARS() function