Easy Catch-All Sanitizer

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
paqman
Forum Contributor
Posts: 125
Joined: Sun Nov 14, 2004 7:41 pm
Location: Burnaby, BC, Canada

Easy Catch-All Sanitizer

Post by paqman »

I'm aware of the need for sanitizing any user inputs through post and get - is there a good way to sanitize all the $_POST and $_GET variables, for example, at the start of each page by default? Or would it be a little more involved since some of the post variables might be arrays...? Or should I just give up on this and take the time to sanitize every post and get I use?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Easy Catch-All Sanitizer

Post by jackpf »

They did this - it's called magic quotes. And now it's removed in PHP 6 cause it was a pile of <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>. :)

Presuming that you want all data escaped in the same way is a large (and usually WRONG) assumption.

I personally escape/validate stuff as I require it. Up to you though. But yeah, if you do decide to take the easy way, you might want to look into array_map() and array_walk() and stuff like that.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Easy Catch-All Sanitizer

Post by kaisellgren »

Input can be used for so many different purposes that there is no way to automatically make it cleansed. Data must be handled before it enters another context (e.g. a database) and after it has been used in the current context (a PHP script). After you have cleansed a variable, you may only push it to the output or discard it, you may not use it in the current context any longer (or you need to cleanse it again and that might corrupt some data).

Forget that "easy catch-all sanitizer", it only works in your wettest dreams. ;)
User avatar
paqman
Forum Contributor
Posts: 125
Joined: Sun Nov 14, 2004 7:41 pm
Location: Burnaby, BC, Canada

Re: Easy Catch-All Sanitizer

Post by paqman »

Alright, I've thrown that idea out. I've done some searching and found that htmlentities is good for output escaping, and mysql_real_escape_string is good for, obviously, esacping mysql queries. Most of what I found wouldn't go very far into what to do for securing, I'm guessing since it's such a big topic and I'm sure lots of people get paid a good chunk of change to do it. Are there any other functions that you would recommend for securing a site? If I'm sure to do something like $query = mysql_query(mysql_real_escape_string("The query")) any time there is user input, and do htmlentities anytime I'm printing out something which could have been influenced by the user, is that good enough?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Easy Catch-All Sanitizer

Post by kaisellgren »

paqman wrote:Are there any other functions that you would recommend for securing a site?
Maybe it would be better if you show us your application and let us point out problems in it. Security is a big topic and listing "functions that secure your site" is not an ideal approach.
paqman wrote:If I'm sure to do something like $query = mysql_query(mysql_real_escape_string("The query")) any time there is user input
Just to make sure, it's the user input you have to escape, not the entire query.
Post Reply