ctype, null byte and UTF-8

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
phpnewbie_101
Forum Newbie
Posts: 5
Joined: Fri Jun 18, 2010 1:09 pm

ctype, null byte and UTF-8

Post by phpnewbie_101 »

Hi, great forum!

I am validating user input with ctype. However, I have read that underlying C libraries are vulnerable to null byte injection. I do not know if this is true or not of the PHP ctype library.

So my question is: given an arbitrary string of unknown encoding, how to I guarantee all the null bytes are removed before sending the string off to PHP functions like ctype? (and my corollary question is this even necessary).

Thank you.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: ctype, null byte and UTF-8

Post by AbraCadaver »

Depending upon what you're doing, addslashes() will escape the nul byte, or to remove it:

Code: Select all

$var = str_replace("\0", "", $var);
You could also use chr(0).
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
phpnewbie_101
Forum Newbie
Posts: 5
Joined: Fri Jun 18, 2010 1:09 pm

Re: ctype, null byte and UTF-8

Post by phpnewbie_101 »

Hi, thanks for the reply. So, that line of code will not corrupt UTF-8 strings?

Also I was reading about mb_string and stumbled on buffer overflow attacks on PHP 5.2.6. Debian Lenny's package is still behind. I was wondering your thoughts on this; I thought buffer overflows were gone way of the dodo and don't exist in interpreted languages but apparently not. Is it worth compiling my own PHP binary?

Is there a general best practices coding in PHP to always check the length of a string before passing the string to any extensions or (potentially) vulnerable functions?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: ctype, null byte and UTF-8

Post by Apollo »

phpnewbie_101 wrote:Hi, thanks for the reply. So, that line of code will not corrupt UTF-8 strings?
No, null bytes cannot be part of multi-byte UTF-8 characters. Any null byte in a UTF-8 encoded string always represents one full character by itself, i.e. U+0000.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: ctype, null byte and UTF-8

Post by kaisellgren »

The latest version of PHP does not break on null bytes and I do not know whether any older version does. However, there are vulnerabilities in the PHP core every now and then, so, it is a very good idea to keep PHP up-to-date.
phpnewbie_101 wrote:I thought buffer overflows were gone way of the dodo and don't exist in interpreted languages but apparently not.
Buffer overflows do not exist in interpreted languages, but they may exist in the language parser itself (i.e. PHP). PHP is written in C, your PHP applications are written in PHP. Thus, your PHP applications are safe from buffer overflows, but PHP is not.
phpnewbie_101
Forum Newbie
Posts: 5
Joined: Fri Jun 18, 2010 1:09 pm

Re: ctype, null byte and UTF-8

Post by phpnewbie_101 »

Thanks. My final solution was to add the ubuntu repo to the Debian sources.list and just download the latest PHP.

Also I'm continuing to remove null bytes, at least until I figure out how to use ESAPI.
Post Reply