Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
As in code so in print.
Posted by: SAS
Date: February 16, 2010 09:56PM

I've been in graphic design and this is more common than one would want to believe. I've never been on very good terms with Stefan Esser, but this is somewhat notably funny imho.

After visiting sektioneins I stumbled upon a very nice idea:
a PHP security poster, to hang on your wall next to your pinups and playboy foldouts. However, as in code so in print: humans make mistakes.
I instantly noticed a flaw that makes one given example totally useless, because as a PHP scripter I type this stuff everyday.

See:

http://www.sektioneins.de/downloads/SektionEins_WebSecurityPoster_englisch.pdf

So here is the snippet:

Escaping and Encoding Functions

• htmlspecialchars()
Escapes the characters & < and > as HTML 
entities to protect the application against XSS. 
The correct character set and the mode  
ENT_QUOTES should be used.

<?php
echo "Hello " . htmlspecialchars($_GET['name'], 'utf-8', ENT_QUOTES);
?>

Thing is, the 2nd parameter should be long (constant), not string as in charset.

This is the correct way (as I always used it)
<?php
echo "Hello " . htmlspecialchars($_GET['name'], ENT_QUOTES, 'utf-8');
?>

I hope the poster will see a revision before it gets printed.
(check, double check, and again).

Options: ReplyQuote
Re: As in code so in print.
Posted by: SAS
Date: February 17, 2010 04:54PM

<Thinking-OutLoud>

I think the ultimate lesson to learn here is simple: Everyone who think that they don't make mistakes, eventually make inevitable mistakes. Maybe that's why peer review is so important in scientific circles? a comforting thought...

</Thinking-OutLoud>

Options: ReplyQuote
Re: As in code so in print.
Posted by: Spyware
Date: February 19, 2010 07:22AM

You can try to contact the creator of the poster through the contact page: https://www.sektioneins.de/en/kontakt/index.html

Options: ReplyQuote


Sorry, only registered users may post in this forum.