Page 1 of 1
[SOLVED] Question - How to secure your site.
Posted: Thu Mar 10, 2005 8:35 pm
by Sphen001
Hi,
Well, I'm designing a PHP project. I'm looking for ways to make sure I can secure it. It will be opensourced, so I decided on creating a class to hold functions that will sanitize user input, validate e-mail's, etc. Hopefully I want the another programmer to be able to do something like this:
Code: Select all
$validate->sanitize($_POST['Some_data']);
Then the code would be completely safe to use for SQL, input, etc. I know it's not possible to get 100% security, but I want to try? So, I'm wondering, what can (should) be done to sanitize an input value with one function? I have thought of using functions such as:
htmlspecialchars()
trim()
If anyone has any thoughts or suggestions, I would love to hear them.
Thanks,
Sphen001
Posted: Thu Mar 10, 2005 8:39 pm
by The Monkey
If you are validating user input for an sql query, mysql_real_escape_string($var) is all you need... except, of course, if you need to remove the html characters, etc. However, to prevent SQL injection, mysql_real_escape_string is all you need.
- Monkey
Posted: Thu Mar 10, 2005 8:43 pm
by Sphen001
Hi,
Thanks for your reply.
Basically, I want to be able to validate any type of input.
So, following your suggestion, I could have a class that looks something like this:
Code: Select all
<?php
class validate
{
function sanitize_sql($var)
{
return mysql_real_escape_string($var);
}
}
However, I would want some other functions to validate form input. This is where htmlspecialchars() and trim() come in.
Can you think of any I've missed? Optimally, one function call could completely validate a form input and make it safe for use.
Thanks,
Sphen001
Posted: Thu Mar 10, 2005 8:57 pm
by The Monkey
I wouldn't be too hasty to make it a class - I know they look cool, but they can just cause problems / extra steps with little benefit.
If you really want to have all of your validation functions in a class, I would make it a static class. Thus:
Code: Select all
class validate
{
function sanitize_sql($string)
{
return mysql_real_escape_string($string);
}
}
$some_stupid_user_input = $_GET['blah'];
$sql = "SELECT * FROM foo WHERE blah = '" . validate::sanitize_sql($some_stupid_user_input) . "'";
$result = mysql_query($sql);
Basically, you call the methods via class::method() instead of $class->method().
- Monkey
Posted: Thu Mar 10, 2005 9:00 pm
by Sphen001
Hi,
Thanks.
I just put the functions in a class in order to keep them together. It's not written down in stone.
Sphen001
Posted: Thu Mar 10, 2005 9:02 pm
by The Monkey
Sphen001 wrote:
I just put the functions in a class in order to keep them together. It's not written down in stone.
Oh, I understand. I'm the same way - but when I found I could call methods / functions without creating an instance of a class, I jumped on it. Less variables to juggle.
Posted: Thu Mar 10, 2005 9:08 pm
by Sphen001
The Monkey wrote:Less variables to juggle.
Very true. And when you're designing a large scale app, it's good to keep the usage to a minimum.
Not to press, but can you think of any functions that should be run when validating input? The earlier I can create these functions, the earlier I can closing up holes in my app.
Thanks,
Sphen001
Posted: Thu Mar 10, 2005 9:17 pm
by feyd
there are things like handling magicQuotes, parsing all "user" sent data such as $_POST, $_GET, $_FILES, $_COOKIE, some of $_SERVER.. there's form validation that could be done, variable set up.. the list goes on and on. There's choosing whether to pre-parse all the data for a specific use, or parsing on demand when switching modes/code paths/whatever...
Posted: Thu Mar 10, 2005 9:18 pm
by The Monkey
Depends on what you are validating...
If it's for a "select" query, then as long as the data is properly escape with mysql_real_escape_string(), then that is all the validating you need.
For insert / update (Like, a client choosing his username), you would want to strip html tags, run mysql_real_escape_string... and trim(). I can't think of any others at the moment.
Posted: Thu Mar 10, 2005 9:27 pm
by feyd
escaping % when you are using a LIKE option in SQL is also a good idea. Swapping repeated whitespace characters in usernames and such is often a good idea.. along with filtering the input, validating, and verifying all form data.
Something a lot of people forget is dropdown's can be fiddled with too.. so don't assume only "valid" values are coming in.
Posted: Fri Mar 11, 2005 7:40 am
by Sphen001
Wow, thanks for all the replies.
The main thing I'm concerned about is, as you say, SQL Injection and Form Injection. I'll look at making a few functions that combine some of them into one.
The reason for that, as I stated above, is that other developers may be adding to this code. Therefore, by giving them only one function they have to run, the code will still be (mostly) safe, even if they don't know a lot about security.
Thanks a lot.
Sphen001
Posted: Fri Mar 11, 2005 3:57 pm
by AGISB
The Monkey wrote:Depends on what you are validating...
If it's for a "select" query, then as long as the data is properly escape with mysql_real_escape_string(), then that is all the validating you need.
For insert / update (Like, a client choosing his username), you would want to strip html tags, run mysql_real_escape_string... and trim(). I can't think of any others at the moment.
I kind of disagree with you. Only using mysql_real_escape_string() is not all the validating you need. It helps to avoid injection but without properly validate the data with a positive list you are open for other trouble. E.g. if you got a members area where different kinds of members can access you might need to check that member1 can only get value 1 and member 2 only value 2. Just checking for injection will not be sufficient as member1 could fiddle with the value and get the data of member2.
Re: Question - How to secure your site.
Posted: Mon Mar 14, 2005 2:20 pm
by shiflett
Well, I'm designing a PHP project. I'm looking for ways to make sure I can secure it. It will be opensourced, so I decided on creating a class to hold functions that will sanitize user input, validate e-mail's, etc. Hopefully I want the another programmer to be able to do something like this:
Code: Select all
$validate->sanitize($_POST['Some_data']);
Then the code would be completely safe to use for SQL, input, etc. I know it's not possible to get 100% security, but I want to try? So, I'm wondering, what can (should) be done to sanitize an input value with one function? I have thought of using functions such as:
htmlspecialchars()
trim()
If anyone has any thoughts or suggestions, I would love to hear them.
I think it's pretty important to distinguish between filtering and escaping. You seem to be considering these separate activities as one.
Filtering is the method by which you inspect data to be sure that it is valid. A whitelist approach is the safest, which is to assume data to be invalid unless it can be proven valid. The process of filtering should not modify the data.
It's difficult to create a sanitize() function or method that is universal. The filtering rules must be very specific to the data being filtered. For example, a last name should be subject to different filtering rules than a mailing address. Trying to come up with rules that apply to all data is going to necessarily be a weaker and more insecure approach.
Escaping is the method by which you escape specific characters that have a special meaning in the system for which the data is destined. The best examples of this are htmlentities() for escaping data to be sent to the client and mysql_real_escape_string() for data to be sent to a MySQL database.
The rules to follow are to filter input and escape output. Input is defined as any data that originates from any external system (not just the user), and output is defined as any data that is destined for any external system (not just the user).
Hope that helps.
Posted: Wed Mar 16, 2005 2:17 pm
by Sphen001
Wow, that really helps.
I guess what I should do is create different functions for different types of circumstances. What I was looking at in my first post however, was a way to do a general clean up of all data. That's where stuff like htmlspecialchars() and trim() come into play.
Thanks a lot
Sphen