Escaping output may help protect from which common security vulnerabilities?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
- Clickjacking
- Cross-Site Scripting
- Cross-Ste Request Forgery
- SQL Injection
This question is part of PHP 7 certification guide by ZEND. The provided answer in the guide seems to be wrong!
My answer is Cross-Site Scripting. However the answer provided by guide is "Cross-Site Scripting" & "SQL Injection". This doesn't sound correct. Escaping input can protect against SQL inject. Please correct me if I am wrong!?
php zend-framework zend-studio
add a comment |
- Clickjacking
- Cross-Site Scripting
- Cross-Ste Request Forgery
- SQL Injection
This question is part of PHP 7 certification guide by ZEND. The provided answer in the guide seems to be wrong!
My answer is Cross-Site Scripting. However the answer provided by guide is "Cross-Site Scripting" & "SQL Injection". This doesn't sound correct. Escaping input can protect against SQL inject. Please correct me if I am wrong!?
php zend-framework zend-studio
add a comment |
- Clickjacking
- Cross-Site Scripting
- Cross-Ste Request Forgery
- SQL Injection
This question is part of PHP 7 certification guide by ZEND. The provided answer in the guide seems to be wrong!
My answer is Cross-Site Scripting. However the answer provided by guide is "Cross-Site Scripting" & "SQL Injection". This doesn't sound correct. Escaping input can protect against SQL inject. Please correct me if I am wrong!?
php zend-framework zend-studio
- Clickjacking
- Cross-Site Scripting
- Cross-Ste Request Forgery
- SQL Injection
This question is part of PHP 7 certification guide by ZEND. The provided answer in the guide seems to be wrong!
My answer is Cross-Site Scripting. However the answer provided by guide is "Cross-Site Scripting" & "SQL Injection". This doesn't sound correct. Escaping input can protect against SQL inject. Please correct me if I am wrong!?
php zend-framework zend-studio
php zend-framework zend-studio
asked Nov 22 '18 at 3:10
AmirAmir
84
84
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Yeah, I think you're absolutely correct. I think your certification guide is wrong. Seems like a wonky question to begin with though anyway.
In both XSS and SQL Injection, the key here is that arbitrary data is used in a context without translating it to that context. In a way, this is all about disambiguating the "data" from the "command".
For HTML, the "data" is this arbitrary data that is presumably text. If you want to use text in HTML, you have to escape the reserved characters so that text isn't interpreted as HTML.
Likewise in SQL, if you're going to concatenate arbitrary values into a query, you need to make sure they don't get interpreted as part of the query itself (like quote marks or something), or you're going to have a bad day. (Better yet, fundamentally separate the data from the query itself using prepared/parameterized queries, and this becomes a non-issue.)
It makes no sense that escaping output has anything to do with SQL injection... unless that "output" is a query being output to a database server.
(Related: https://stackoverflow.com/a/7810880/362536)
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53423322%2fescaping-output-may-help-protect-from-which-common-security-vulnerabilities%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yeah, I think you're absolutely correct. I think your certification guide is wrong. Seems like a wonky question to begin with though anyway.
In both XSS and SQL Injection, the key here is that arbitrary data is used in a context without translating it to that context. In a way, this is all about disambiguating the "data" from the "command".
For HTML, the "data" is this arbitrary data that is presumably text. If you want to use text in HTML, you have to escape the reserved characters so that text isn't interpreted as HTML.
Likewise in SQL, if you're going to concatenate arbitrary values into a query, you need to make sure they don't get interpreted as part of the query itself (like quote marks or something), or you're going to have a bad day. (Better yet, fundamentally separate the data from the query itself using prepared/parameterized queries, and this becomes a non-issue.)
It makes no sense that escaping output has anything to do with SQL injection... unless that "output" is a query being output to a database server.
(Related: https://stackoverflow.com/a/7810880/362536)
add a comment |
Yeah, I think you're absolutely correct. I think your certification guide is wrong. Seems like a wonky question to begin with though anyway.
In both XSS and SQL Injection, the key here is that arbitrary data is used in a context without translating it to that context. In a way, this is all about disambiguating the "data" from the "command".
For HTML, the "data" is this arbitrary data that is presumably text. If you want to use text in HTML, you have to escape the reserved characters so that text isn't interpreted as HTML.
Likewise in SQL, if you're going to concatenate arbitrary values into a query, you need to make sure they don't get interpreted as part of the query itself (like quote marks or something), or you're going to have a bad day. (Better yet, fundamentally separate the data from the query itself using prepared/parameterized queries, and this becomes a non-issue.)
It makes no sense that escaping output has anything to do with SQL injection... unless that "output" is a query being output to a database server.
(Related: https://stackoverflow.com/a/7810880/362536)
add a comment |
Yeah, I think you're absolutely correct. I think your certification guide is wrong. Seems like a wonky question to begin with though anyway.
In both XSS and SQL Injection, the key here is that arbitrary data is used in a context without translating it to that context. In a way, this is all about disambiguating the "data" from the "command".
For HTML, the "data" is this arbitrary data that is presumably text. If you want to use text in HTML, you have to escape the reserved characters so that text isn't interpreted as HTML.
Likewise in SQL, if you're going to concatenate arbitrary values into a query, you need to make sure they don't get interpreted as part of the query itself (like quote marks or something), or you're going to have a bad day. (Better yet, fundamentally separate the data from the query itself using prepared/parameterized queries, and this becomes a non-issue.)
It makes no sense that escaping output has anything to do with SQL injection... unless that "output" is a query being output to a database server.
(Related: https://stackoverflow.com/a/7810880/362536)
Yeah, I think you're absolutely correct. I think your certification guide is wrong. Seems like a wonky question to begin with though anyway.
In both XSS and SQL Injection, the key here is that arbitrary data is used in a context without translating it to that context. In a way, this is all about disambiguating the "data" from the "command".
For HTML, the "data" is this arbitrary data that is presumably text. If you want to use text in HTML, you have to escape the reserved characters so that text isn't interpreted as HTML.
Likewise in SQL, if you're going to concatenate arbitrary values into a query, you need to make sure they don't get interpreted as part of the query itself (like quote marks or something), or you're going to have a bad day. (Better yet, fundamentally separate the data from the query itself using prepared/parameterized queries, and this becomes a non-issue.)
It makes no sense that escaping output has anything to do with SQL injection... unless that "output" is a query being output to a database server.
(Related: https://stackoverflow.com/a/7810880/362536)
answered Nov 22 '18 at 3:13
BradBrad
117k29239398
117k29239398
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53423322%2fescaping-output-may-help-protect-from-which-common-security-vulnerabilities%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown