eelixduppy - 2:09 pm on Mar 4, 2010 (gmt 0)

Improper Encoding or Escaping of Output

This isn't as big of an issue IMO than some of the other ones in there (at least for web programming) but there are two ways to look at this one.

On the first hand there is output to the browser. Now as far as encoding goes using the wrong encoding might make some characters appear differently than what they should look like in the browser. Not that huge of an issue just the user may have trouble reading the output to the screen. I'm not going to talk about XSS in this part because there is a whole topic dedicated to that, so I'm just going to stick to encoding in general. So make sure that whatever you are using, you properly specific the character encoding, usually in the form of a meta tag in the head of your HTML document:


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


On the other hand there is encoding the output in places such as your database queries. Since MySQL, an other DBMS, allow you to specific the character encoding, you must make sure that the query you are generating abides by your encoding and that unexpected results do not occur. If they happen to occur, it may be possible for an injection to take place (the topic of another post!). Sometimes it helps with this to use stored procedures.