Encoding Vulnerabilities in Web Applications

Types of Encoding Vulnerabilities (with Code Examples)

<!-- BAD: Direct output without encoding -->
Hello, !

<!-- GOOD: Proper output encoding -->
Hello, !

// BAD: User input directly in query
$sql = "SELECT * FROM users WHERE username = '" . $_POST['user'] . "'";

// GOOD: Use parameterized queries
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$_POST['user']]);

// Filter removes <script>, but double-encoded payload passes
Input: %253Cscript%253Ealert(1)%253C/script%253E
// Decoded twice: <script>alert(1)</script>

// Normalize input before validating/filtering
$input = urldecode(urldecode($input));
// Then validate/sanitize

How Attackers Exploit Encoding Flaws

Attackers look for places where user input is not correctly encoded or sanitized for its output context. They experiment with payloads—using double encoding, alternate charsets, or context switches (e.g., injecting JS into an HTML attribute)—to bypass naive filters. Here’s a quick comparison:

Encoding Security: Best Practices (2025)

• Use contextual output encoding (HTML, JS, URL, SQL, etc.)—never one-size-fits-all.
• Prefer security libraries over manual encoding or escaping.
• Always decode/normalize input before validation and filtering.
• Audit legacy code for encoding mishandling—older code often misses Unicode and double-encoding risks.
• Test with edge-case payloads and fuzzers (e.g., mixed encodings, encoded slashes, null bytes).
• Educate your team—secure encoding is everyone’s job, not just security specialists.