Protecting against client attack without MySQL present?
Posted: Sun Jul 05, 2009 9:01 pm
I've been redoing my site's PHP preference class and since it doesn't directly interact with MySQL PHP doesn't seem to allow me to use mysql_real_escape_string. I'm trying to avoid an elongated attack like...having $_POST set to $_SESSION, and since I can't set mysql_real_escape_string in one place it would later open up a security hole if I continued to not use mysql_real_escape_string on $_SESSION. Right now I don't have anything live susceptible to this and I've been tracking down $_SESSION on the version of my site I'm working on right now for the just-in-case scenario. However as far as the forum thread is concerned I'm wondering how to protect against this kind of scenario up front (in the PHP class) versus only relying on when I have PHP execute a MySQL query?
Here is what I've coded today which will eventually morph in to the new version of the PHP preferences class...
*EDIT* - After doing a thorough I found search all $_SESSION variables use mysql_real_escape_string before being used before data was put in to a MySQL query. 
Here is what I've coded today which will eventually morph in to the new version of the PHP preferences class...
Code: Select all
<?php
$default = array(
'audio'=>'0',
'broadbandimages'=>'0',
'checkbox'=>'0',
'columns'=>'1',
'connection'=>'0',
'css3'=>'0',
'csspatch'=>'1',
'cursors'=>'0',
'dhtmleffects'=>'0',
'dtd'=>'1',
'initialfocus'=>'search_query',
'keyboardlayout'=>'developer',
'mediatype'=>'ns',
'pagination'=>'form',
'personality'=>'0',
'powerkeys'=>'0',
'sidebar'=>'20',
'sounds'=>'0',
'theme'=>'classic'
);
$c = count($default);
$i = 0;
foreach($default as $type=>$default)
{
$$type = client($type, $default);
$i++;
if (isset($cookie_value)) {$cookie_value .= $type.'.'.$$type; if ($c!=$i) {$cookie_value .='_';}}
else {$cookie_value = $type.'.'.$$type.'_';}
}
function client($type, $default)
{
if (isset($_GET[$type])) {/*echo '<div>'.$type.' = <b>GET</b> = '.$_GET[$type].'</div>'."\n"; */return mysql_real_escape_string($_GET[$type]);}
else if (isset($_POST[$type])) {/*echo '<div>'.$type.' = <b>POST</b> = '.$_POST[$type].'</div>'."\n"; */return mysql_real_escape_string($_POST[$type]);}
else if (isset($_SESSION[$type])) {/*echo '<div><b>'.$type.' = <b>$_SESSION</b> = '.$_SESSION[$type].'</div>'."\n"; */return $_SESSION[$type];}
else if (isset($_COOKIE['settings']))
{
$pieces = explode('_', $_COOKIE['settings']);
$c = count($pieces);
$i = 0;
foreach($pieces as $value)
{
$value = explode('.', $value);
$i++;
if ($value[0]==$type && $value[1] != '') {/*echo '<div>'.$type.' = <b>$COOKIE</b> = '.$value[1].'</div>'."\n"; */return mysql_real_escape_string($value[1]);}
else if ($c==$i) {/*echo '<div>'.$type.' = <b>Default</b> = '.$default.'</div>'."\n"; */return $default;}
}
}
else {/*echo '<div>'.$type.' = <b>Default</b> = '.$default.'</div>'."\n"; */return $default;}
}
if (!headers_sent()) {setcookie('settings',$cookie_value,time()+2592000,'/'); echo '<p>ok now echo stuff!</p>';}
echo '<br /><br />'."\n".'<div>$audio = '.$audio.'</div>'."\n";
echo '<div>$broadbandimages = '.$broadbandimages.'</div>'."\n";
echo '<div>$checkbox = '.$checkbox.'</div>'."\n";
echo '<div>$columns = '.$columns.'</div>'."\n";
echo '<div>$connection = '.$connection.'</div>'."\n";
echo '<div>$css3 = '.$css3.'</div>'."\n";
echo '<div>$csspatch = '.$csspatch.'</div>'."\n";
echo '<div>$cursors = '.$cursors.'</div>'."\n";
echo '<div>$dhtmleffects = '.$dhtmleffects.'</div>'."\n";
echo '<div>$dtd = '.$dtd.'</div>'."\n";
echo '<div>$initialfocus = '.$initialfocus.'</div>'."\n";
echo '<div>$keyboardlayout = '.$keyboardlayout.'</div>'."\n";
echo '<div>$mediatype = '.$mediatype.'</div>'."\n";
echo '<div>$pagination = '.$pagination.'</div>'."\n";
echo '<div>$personality = '.$personality.'</div>'."\n";
echo '<div>$powerkeys = '.$powerkeys.'</div>'."\n";
echo '<div>$sidebar = '.$sidebar.'</div>'."\n";
echo '<div>$sounds = '.$sounds.'</div>'."\n";
echo '<div>$theme = '.$theme.'</div>'."\n";
echo '<br /><br />'.$cookie_value;
?>