Escape Output
Another cornerstone of web application security is the practice of escaping outputescaping or encoding special characters so that their original meaning is preserved. For example, O’Reilly is represented as O\’Reilly when being sent to a MySQL database. The backslash before the apostrophe is there to preserve itthe apostrophe is part of the data and not meant to be interpreted by the database.
As with filtering input, when I refer to escaping output , I am really describing three different steps:
*
Identifying output
*
Escaping output
*
Distinguishing between escaped and unescaped data
To escape output, you must first identify output. In general, this is much easier than identifying input because it relies on an action that you take. For example, to identify output being sent to the client, you can search for strings such as the following in your code:
*
echo
*
print
*
printf
*
Welcome back, {$html[’username’]}.
“;
?>
