Hi Andrey,

On Wed, Jun 24, 2015 at 6:20 PM, Andrey Andreev <n...@devilix.net> wrote:

> On Wed, Jun 24, 2015 at 5:49 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> > Hi Xinchen,
> >
> > On Wed, Jun 24, 2015 at 11:42 AM, Xinchen Hui <larue...@php.net> wrote:
> >
> >> and for the "age" usage you replied in github, I think the author of
> >> such codes should be aware, if it's only number, then  instead of
> >> htmlespcicalchars($age),  he should use echo $age directly... which is
> >> more faster.
> >>
> >
> > To build secure apps, users MUST escape everything for the context by
> > _default_.
> > Selective escaping is the cause of injection vulnerability especially
> with
> > language like
> > PHP.
> >
> > Principle is "Don't think, escape all (for the context)".
> >
>
> The key word here is "context" ... you know that there's nothing to
> escape for an integer, because the type is your context.
>
> Selective escaping isn't a problem by itself, but that many people use
> a blacklist approach instead of a whitelist one; and you can only fix
> that with education.


Right and agree.

Selective escaping isn't a problem by itself, but people do mistake, make
wrong assumptions, use wrong blacklist approach. The same variable can
be generated by different code path/source. It could be very hard to assure
a variable is really a int/float without validation. If one would like to
make
sure what a variable is and skip escaping, they need something like

<td><?php echo is_numeric($var) ? $var : htmlspecialchars($var) ?></td>

It's much easier with unconditional escape everywhere like

<td><?php echo htmlspecialchars($var) ?><td>

if htmlspecialchars() is fast enough for int/float. (I'm not sure which one
is faster)

One example is SQLite that making sure variable type could be difficult.
SQLite can store string _regardless_ of type definition. If developers add
SQLite support, in addition to MySQL/PostgreSQL, they may create
attack vector if they don't escape unconditionally.

Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net

Reply via email to