[SOLVED] Question - How to secure your site.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Sphen001
Forum Contributor
Posts: 107
Joined: Thu Mar 10, 2005 12:24 pm
Location: Land of the Beaver

[SOLVED] Question - How to secure your site.

Post by Sphen001 »

Hi,

Well, I'm designing a PHP project. I'm looking for ways to make sure I can secure it. It will be opensourced, so I decided on creating a class to hold functions that will sanitize user input, validate e-mail's, etc. Hopefully I want the another programmer to be able to do something like this:

Code: Select all

$validate->sanitize($_POST['Some_data']);
Then the code would be completely safe to use for SQL, input, etc. I know it's not possible to get 100% security, but I want to try? So, I'm wondering, what can (should) be done to sanitize an input value with one function? I have thought of using functions such as:

htmlspecialchars()
trim()

If anyone has any thoughts or suggestions, I would love to hear them.

Thanks,

Sphen001
Last edited by Sphen001 on Tue Jul 12, 2005 9:17 pm, edited 1 time in total.
The Monkey
Forum Contributor
Posts: 168
Joined: Tue Mar 09, 2004 9:05 am
Location: Arkansas, USA

Post by The Monkey »

If you are validating user input for an sql query, mysql_real_escape_string($var) is all you need... except, of course, if you need to remove the html characters, etc. However, to prevent SQL injection, mysql_real_escape_string is all you need.

- Monkey
Sphen001
Forum Contributor
Posts: 107
Joined: Thu Mar 10, 2005 12:24 pm
Location: Land of the Beaver

Post by Sphen001 »

Hi,

Thanks for your reply.

Basically, I want to be able to validate any type of input.

So, following your suggestion, I could have a class that looks something like this:

Code: Select all

<?php
class validate
{
function sanitize_sql($var)
{
return mysql_real_escape_string($var);
}
}
However, I would want some other functions to validate form input. This is where htmlspecialchars() and trim() come in.

Can you think of any I've missed? Optimally, one function call could completely validate a form input and make it safe for use.

Thanks,

Sphen001
The Monkey
Forum Contributor
Posts: 168
Joined: Tue Mar 09, 2004 9:05 am
Location: Arkansas, USA

Post by The Monkey »

I wouldn't be too hasty to make it a class - I know they look cool, but they can just cause problems / extra steps with little benefit.

If you really want to have all of your validation functions in a class, I would make it a static class. Thus:

Code: Select all

class validate
{
    function sanitize_sql($string)
    {
       return mysql_real_escape_string($string);
    }
}

$some_stupid_user_input = $_GET['blah'];

$sql = "SELECT * FROM foo WHERE blah = '" . validate::sanitize_sql($some_stupid_user_input) . "'";

$result = mysql_query($sql);
Basically, you call the methods via class::method() instead of $class->method().

- Monkey
Sphen001
Forum Contributor
Posts: 107
Joined: Thu Mar 10, 2005 12:24 pm
Location: Land of the Beaver

Post by Sphen001 »

Hi,

Thanks.

I just put the functions in a class in order to keep them together. It's not written down in stone.

Sphen001
The Monkey
Forum Contributor
Posts: 168
Joined: Tue Mar 09, 2004 9:05 am
Location: Arkansas, USA

Post by The Monkey »

Sphen001 wrote: I just put the functions in a class in order to keep them together. It's not written down in stone.
Oh, I understand. I'm the same way - but when I found I could call methods / functions without creating an instance of a class, I jumped on it. Less variables to juggle.
Sphen001
Forum Contributor
Posts: 107
Joined: Thu Mar 10, 2005 12:24 pm
Location: Land of the Beaver

Post by Sphen001 »

The Monkey wrote:Less variables to juggle.
Very true. And when you're designing a large scale app, it's good to keep the usage to a minimum.

Not to press, but can you think of any functions that should be run when validating input? The earlier I can create these functions, the earlier I can closing up holes in my app.

Thanks,

Sphen001
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

there are things like handling magicQuotes, parsing all "user" sent data such as $_POST, $_GET, $_FILES, $_COOKIE, some of $_SERVER.. there's form validation that could be done, variable set up.. the list goes on and on. There's choosing whether to pre-parse all the data for a specific use, or parsing on demand when switching modes/code paths/whatever...
The Monkey
Forum Contributor
Posts: 168
Joined: Tue Mar 09, 2004 9:05 am
Location: Arkansas, USA

Post by The Monkey »

Depends on what you are validating...

If it's for a "select" query, then as long as the data is properly escape with mysql_real_escape_string(), then that is all the validating you need.

For insert / update (Like, a client choosing his username), you would want to strip html tags, run mysql_real_escape_string... and trim(). I can't think of any others at the moment.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

escaping % when you are using a LIKE option in SQL is also a good idea. Swapping repeated whitespace characters in usernames and such is often a good idea.. along with filtering the input, validating, and verifying all form data.

Something a lot of people forget is dropdown's can be fiddled with too.. so don't assume only "valid" values are coming in.
Sphen001
Forum Contributor
Posts: 107
Joined: Thu Mar 10, 2005 12:24 pm
Location: Land of the Beaver

Post by Sphen001 »

Wow, thanks for all the replies.

The main thing I'm concerned about is, as you say, SQL Injection and Form Injection. I'll look at making a few functions that combine some of them into one.

The reason for that, as I stated above, is that other developers may be adding to this code. Therefore, by giving them only one function they have to run, the code will still be (mostly) safe, even if they don't know a lot about security.

Thanks a lot.

Sphen001
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

The Monkey wrote:Depends on what you are validating...

If it's for a "select" query, then as long as the data is properly escape with mysql_real_escape_string(), then that is all the validating you need.

For insert / update (Like, a client choosing his username), you would want to strip html tags, run mysql_real_escape_string... and trim(). I can't think of any others at the moment.
I kind of disagree with you. Only using mysql_real_escape_string() is not all the validating you need. It helps to avoid injection but without properly validate the data with a positive list you are open for other trouble. E.g. if you got a members area where different kinds of members can access you might need to check that member1 can only get value 1 and member 2 only value 2. Just checking for injection will not be sufficient as member1 could fiddle with the value and get the data of member2.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Re: Question - How to secure your site.

Post by shiflett »

Well, I'm designing a PHP project. I'm looking for ways to make sure I can secure it. It will be opensourced, so I decided on creating a class to hold functions that will sanitize user input, validate e-mail's, etc. Hopefully I want the another programmer to be able to do something like this:

Code: Select all

$validate->sanitize($_POST['Some_data']);
Then the code would be completely safe to use for SQL, input, etc. I know it's not possible to get 100% security, but I want to try? So, I'm wondering, what can (should) be done to sanitize an input value with one function? I have thought of using functions such as:

htmlspecialchars()
trim()

If anyone has any thoughts or suggestions, I would love to hear them.
I think it's pretty important to distinguish between filtering and escaping. You seem to be considering these separate activities as one.

Filtering is the method by which you inspect data to be sure that it is valid. A whitelist approach is the safest, which is to assume data to be invalid unless it can be proven valid. The process of filtering should not modify the data.

It's difficult to create a sanitize() function or method that is universal. The filtering rules must be very specific to the data being filtered. For example, a last name should be subject to different filtering rules than a mailing address. Trying to come up with rules that apply to all data is going to necessarily be a weaker and more insecure approach.

Escaping is the method by which you escape specific characters that have a special meaning in the system for which the data is destined. The best examples of this are htmlentities() for escaping data to be sent to the client and mysql_real_escape_string() for data to be sent to a MySQL database.

The rules to follow are to filter input and escape output. Input is defined as any data that originates from any external system (not just the user), and output is defined as any data that is destined for any external system (not just the user).

Hope that helps.
Sphen001
Forum Contributor
Posts: 107
Joined: Thu Mar 10, 2005 12:24 pm
Location: Land of the Beaver

Post by Sphen001 »

Wow, that really helps.

I guess what I should do is create different functions for different types of circumstances. What I was looking at in my first post however, was a way to do a general clean up of all data. That's where stuff like htmlspecialchars() and trim() come into play.

Thanks a lot :D

Sphen
Post Reply