Page 1 of 1
security holes in a few php functions
Posted: Fri Jul 30, 2010 2:52 pm
by shawngoldw
I was wondering if there were any known holes in any of the following functions:
ctype_alnum()
ctype_alpha()
is_numeric()
I'm talking security holes in the sense that I am taking form data and using these functions to make sure that no malicious input was used, only characters which I expect. Potentially, can someone submit hex codes or some other encoding and get through these filters and have their malicious input injected into mysql or the page?
Thanks,
Shawn
Re: security holes in a few php functions
Posted: Thu Aug 05, 2010 6:12 pm
by superdezign
Depends on what you do with the data after you check it's validity with these functions. But if you are asking if these functions return false positives, then the answer is no.
Re: security holes in a few php functions
Posted: Fri Aug 06, 2010 1:44 am
by Mordred
You must always
properly escape what you put in a SQL query.
Do not rely on ANY validation functions. Validation is part of the business logic, the DB layer should
escape.
These three may pass data that one would not normally (i.e. without having read the manual carefully) expect them to. The first two are locale dependent, they may return WHATEVER as valid. The third will return validate things like 0xABCD, 1e36, 40.123, 0987 which may or may not be "numeric" according to the database layer.
In short, use this for validation (optional). Do not use them instead of escaping.
[quote=superdezign]But if you are asking if these functions return false positives, then the answer is no.[/quote]
While technically this is true (yes, the functions work as defined), the results are not consistent with what many programmers expect, and most importantly
the results are not consistent with what the database expects!
Re: security holes in a few php functions
Posted: Mon Aug 09, 2010 1:36 pm
by shawngoldw
thanks, I was really asking about false positives but as usual Mordred's input is useful.