Escaping output may help protect from which common security vulnerabilities?

Question

• Clickjacking
• Cross-Site Scripting
• Cross-Ste Request Forgery
• SQL Injection

This question is part of PHP 7 certification guide by ZEND. The provided answer in the guide seems to be wrong! My answer is Cross-Site Scripting. However the answer provided by guide is "Cross-Site Scripting" & "SQL Injection". This doesn't sound correct. Escaping input can protect against SQL inject. Please correct me if I am wrong!?

Answer 1

Yeah, I think you're absolutely correct. I think your certification guide is wrong. Seems like a wonky question to begin with though anyway.

In both XSS and SQL Injection, the key here is that arbitrary data is used in a context without translating it to that context. In a way, this is all about disambiguating the "data" from the "command".

For HTML, the "data" is this arbitrary data that is presumably text. If you want to use text in HTML, you have to escape the reserved characters so that text isn't interpreted as HTML.

Likewise in SQL, if you're going to concatenate arbitrary values into a query, you need to make sure they don't get interpreted as part of the query itself (like quote marks or something), or you're going to have a bad day. (Better yet, fundamentally separate the data from the query itself using prepared/parameterized queries, and this becomes a non-issue.)

It makes no sense that escaping output has anything to do with SQL injection... unless that "output" is a query being output to a database server.

(Related: https://stackoverflow.com/a/7810880/362536 )