information from the URI or user entry and printing it out in the page. As
shown earlier in the XSS example with the colors, you will be making it
easier to inject malicious code into your page.
There are two ways to deal with this: whitelisting and proper filtering.
Whitelisting is the most effective way to make sure nothing insecure gets
written out. The trick is easy: don’t use information that gets sent through
as the output; rather, just use it in conditions or as lookups.
Let’s say you want to add a file on demand to a page. You currently have
these sections on the page: About Us, Contact, Clients, Portfolio, Home,
Partners. You could store the data of these in about-us.php, contact.php,
clients.php, portfolio.php, index.php and partners.php.
The amazingly bad way to do this is probably the way you see it done in
many tutorials: a file called something like template.php, which takes a
page parameter with the file name.
The template then normally contains something like this:
1 <?php include($_GET['page']);?>If you call http://example.com/template.php?page=about-
us.php, this would load the “About Us” document and include it in the
template where the code is located.
It would also allow someone to check out all of the other interesting things
on your server. For example, http://example.com/template.php?
page=../../../../../../../../etc/passwd%00 or the like would
allow an attacker to read your passwd file.