Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Well, I'm designing a PHP project. I'm looking for ways to make sure I can secure it. It will be opensourced, so I decided on creating a class to hold functions that will sanitize user input, validate e-mail's, etc. Hopefully I want the another programmer to be able to do something like this:
Then the code would be completely safe to use for SQL, input, etc. I know it's not possible to get 100% security, but I want to try? So, I'm wondering, what can (should) be done to sanitize an input value with one function? I have thought of using functions such as:
htmlspecialchars()
trim()
If anyone has any thoughts or suggestions, I would love to hear them.
Thanks,
Sphen001
Last edited by Sphen001 on Tue Jul 12, 2005 9:17 pm, edited 1 time in total.
If you are validating user input for an sql query, mysql_real_escape_string($var) is all you need... except, of course, if you need to remove the html characters, etc. However, to prevent SQL injection, mysql_real_escape_string is all you need.
Sphen001 wrote:
I just put the functions in a class in order to keep them together. It's not written down in stone.
Oh, I understand. I'm the same way - but when I found I could call methods / functions without creating an instance of a class, I jumped on it. Less variables to juggle.
Very true. And when you're designing a large scale app, it's good to keep the usage to a minimum.
Not to press, but can you think of any functions that should be run when validating input? The earlier I can create these functions, the earlier I can closing up holes in my app.
there are things like handling magicQuotes, parsing all "user" sent data such as $_POST, $_GET, $_FILES, $_COOKIE, some of $_SERVER.. there's form validation that could be done, variable set up.. the list goes on and on. There's choosing whether to pre-parse all the data for a specific use, or parsing on demand when switching modes/code paths/whatever...
If it's for a "select" query, then as long as the data is properly escape with mysql_real_escape_string(), then that is all the validating you need.
For insert / update (Like, a client choosing his username), you would want to strip html tags, run mysql_real_escape_string... and trim(). I can't think of any others at the moment.
escaping % when you are using a LIKE option in SQL is also a good idea. Swapping repeated whitespace characters in usernames and such is often a good idea.. along with filtering the input, validating, and verifying all form data.
Something a lot of people forget is dropdown's can be fiddled with too.. so don't assume only "valid" values are coming in.
The main thing I'm concerned about is, as you say, SQL Injection and Form Injection. I'll look at making a few functions that combine some of them into one.
The reason for that, as I stated above, is that other developers may be adding to this code. Therefore, by giving them only one function they have to run, the code will still be (mostly) safe, even if they don't know a lot about security.
The Monkey wrote:Depends on what you are validating...
If it's for a "select" query, then as long as the data is properly escape with mysql_real_escape_string(), then that is all the validating you need.
For insert / update (Like, a client choosing his username), you would want to strip html tags, run mysql_real_escape_string... and trim(). I can't think of any others at the moment.
I kind of disagree with you. Only using mysql_real_escape_string() is not all the validating you need. It helps to avoid injection but without properly validate the data with a positive list you are open for other trouble. E.g. if you got a members area where different kinds of members can access you might need to check that member1 can only get value 1 and member 2 only value 2. Just checking for injection will not be sufficient as member1 could fiddle with the value and get the data of member2.
Well, I'm designing a PHP project. I'm looking for ways to make sure I can secure it. It will be opensourced, so I decided on creating a class to hold functions that will sanitize user input, validate e-mail's, etc. Hopefully I want the another programmer to be able to do something like this:
Then the code would be completely safe to use for SQL, input, etc. I know it's not possible to get 100% security, but I want to try? So, I'm wondering, what can (should) be done to sanitize an input value with one function? I have thought of using functions such as:
htmlspecialchars()
trim()
If anyone has any thoughts or suggestions, I would love to hear them.
I think it's pretty important to distinguish between filtering and escaping. You seem to be considering these separate activities as one.
Filtering is the method by which you inspect data to be sure that it is valid. A whitelist approach is the safest, which is to assume data to be invalid unless it can be proven valid. The process of filtering should not modify the data.
It's difficult to create a sanitize() function or method that is universal. The filtering rules must be very specific to the data being filtered. For example, a last name should be subject to different filtering rules than a mailing address. Trying to come up with rules that apply to all data is going to necessarily be a weaker and more insecure approach.
Escaping is the method by which you escape specific characters that have a special meaning in the system for which the data is destined. The best examples of this are htmlentities() for escaping data to be sent to the client and mysql_real_escape_string() for data to be sent to a MySQL database.
The rules to follow are to filter input and escape output. Input is defined as any data that originates from any external system (not just the user), and output is defined as any data that is destined for any external system (not just the user).
I guess what I should do is create different functions for different types of circumstances. What I was looking at in my first post however, was a way to do a general clean up of all data. That's where stuff like htmlspecialchars() and trim() come into play.