Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I'm beginning to read some security literature regarding PHP. I had never done it before, so you can say I'm pretty newbie in the subject. I want to hear some opinions for this code: Is this secure?
although I don't care for the coding style, nothing security related jumps out. However, you could get some SQL errors if your database abstraction doesn't quote all the values given to it.
- I like the use of hashes with values 'cleaned' for a particular use.. That is i find $mysql and $html better choises, because they indicate in which context the values are 'clean'.
- It appears you're using a couple of variables in $_POST without explictely testing if they exists, eg: $_POST[$field].
- What happens if $_POST['limit_per_page'] is a negative number?
Feyd, I thought about what you said about my coding style. After a looking at the code I began to dislike the way I was controling the length of the $_POST[$vars]. I came up with this, that should be better:
Be careful of context - do you need to entitise text being sent to MySQL? Or does it only need escaping? Don't entitise database values unless it's required for a specific reason.
Just some sample code showing the split between contexts - you can just create some functions to do this automatically, or use a function accepting rules to automatically cover standard input filtering.
. Default presumption since PHP is UTF-8 ignorant. It also encompasses most contingencies such as lower level UTF encodings among other things. Character encoding is important for entitising in PHP.
No, use htmlentities to escape data when outputting to html. When you want to output data to mysql, use mysql_real_escape_string.
What's important to realise is that it's all about 2 processes: filtering input and escaping output.
Input is what comes from the POST variables in this case. Other times it could be input from GET, SERVER or other variables.
Output is what goes out. That's output to a database, or output to a browser. That's two different things. You can read more about this in Chris Shifletts talks here or in his book http://phpsecurity.org/ or take a look at the Security guide from phpsec. And there have been a lot of good threads here of course
We're getting somewhere... Still, $clean still doesn't indicate in which it's clean (to me).
What about the following approach?
(1) Validate input (from the $_* arrays) and add the accepted input in $input
(2) Prepare variables for use in a query and store them in $mysql
(3) Prepare variables for use in html and store them in $html
When you're using this approach, it seems obvious that we'll evolve to three classes that getter/setter methods for key,value pairs.
In case of the input class we'll probably want to append rules to the setter..
In case of the mysql and html class we'll probably want some processing in the getter...