Escaping Characters (PHP)

Escape Output

Output is anything that leaves your application, bound for a client. The client, in
this case, is anything from a Web browser to a database server, and just as you should
filter all incoming data, you should escape all outbound data. Whereas filtering input
protects your application from bad or harmful data, escaping output protects the
client and user from potentially damaging commands.

Escaping output should not be regarded as part of the filtering process, however.
These two steps, while equally important, serve distinct and different purposes. Filtering
ensures the validity of data coming into the application; escaping protects
you and your users from potentially harmful attacks. Output must be escaped because
clients—Web browsers, database servers, and so on—often take action when
encountering special characters. For Web browsers, these special characters form
HTML tags; for database servers, they may include quotation marks and SQL keywords.
Therefore, it is necessary to know the intended destination of output and to
escape accordingly.

Escaping output intended for a database will not suffice when sending that same
output to a Web browser—data must be escaped according to its destination. Since
most PHP applications deal primarily with the Web and databases, this section will
focus on escaping output for these mediums, but you should always be aware of the
destination of your output and any special characters or commands that destination
may accept and act upon—and be ready escape those characters or commands
accordingly.

To escape output intended for a Web browser, PHP provides htmlspecialchars()
and htmlentities(), the latter being the most exhaustive and, therefore, recommended
function for escaping. The following code example illustrates the use of
htmlentities() to prepare output before sending it to the browser. Another concept
illustrated is the use of an array specifically designed to store output. If you prepare
output by escaping it and storing it to a specific array, you can then use the latter’s
contents without having to worry about whether the output has been escaped.

If you encounter a variable in your script that is being outputted and is not part
of this array, then it should be regarded suspiciously. This practice will help make
your code easier to read and maintain. For this example, assume that the value for
$user_message comes from a database result set.
206 ” Security
$html = array();
$html[’message’] = htmlentities($user_message, ENT_QUOTES, ’UTF-8’);
echo $html[’message’];
Escape output intended for a database server, such as in an SQL statement, with the
database-driver-specific *_escape_string() function; when possible, use prepared
statements. Since PHP 5.1 includes PHP Data Objects (PDO), you may use prepared
statements for all database engines for which there is a PDO driver. If the database
engine does not natively support prepared statements, then PDO emulates this feature
transparently for you.
The use of prepared statements allows you to specify placeholders in an SQL statement.
This statement can then be used multiple times throughout an application,
substituting new values for the placeholders, each time. The database engine (or
PDO, if emulating prepared statements) performs the hard work of actually escaping
the values for use in the statement. The Database Programming chapter contains
more information on prepared statements, but the following code provides a simple
example for binding parameters to a prepared statement.

// First, filter the input
$clean = array();
if (ctype_alpha($_POST[’username’]))
{
$clean[’username’] = $_POST[’username’];
}
// Set a named placeholder in the SQL statement for username
$sql = ’SELECT * FROM users WHERE username = :username’;
// Assume the database handler exists; prepare the statement
$stmt = $dbh->prepare($sql);
// Bind a value to the parameter
$stmt->bindParam(’:username’, $clean[’username’]);
// Execute and fetch results
$stmt->execute();
$results = $stmt->fetchAll();