Links and help to secure forum code

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
MrPotatoes
Forum Regular
Posts: 617
Joined: Wed May 24, 2006 6:42 am

Links and help to secure forum code

Post by MrPotatoes »

well i'm developing a forum and i think i can finish it actually this weekend (started last night) and i'm worried about security. honestly i've never done security because someone else would worry about that in the team and they were good enough that we never had problems. of course none of us are hackers so don't quote me on that lol

i wanted to know more about sanitizing URL and form data depending on what type it is. for instance i have create new topic well i would want that to be different because any BB code won't be parsed. the actual body can have BB code but it won't have any HTML or it would be limited.

also, this system is basically a system of includes so therefore the forum root index is the front controller and checks the URL or post variable to see what's there and then just includes the correct functions.

the only thing that i'm doing for that is this

Code: Select all

if (!get_magic_quotes_gpc())
{
	array_add_slashes($_GET);
	array_add_slashes($_POST);
	array_add_slashes($_COOKIE);
}
i don't know what i'm trying to stop so therefore i have less of a clue of how to stop it. can you please post some examples and links? that would be super helpful because i think that is the biggest problem that i have to date in coding and not the actual forum

thanx for your replies guys, it's a big help
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

addslashes() to your data does not bring any database security. You must always (if you use MySQL) use mysql_real_escape_string().

Other that, here's some homework to do:

1. Find the difference between filtering and escaping
2. Perform sanity checks on things like numeric ids (make sure they're numeric)
3. Write a database wrapper class that automatically escapes values
printf
Forum Contributor
Posts: 173
Joined: Wed Jan 12, 2005 5:24 pm

Post by printf »

adding slashes to SUPER GLOBALS is really silly, it better to design a set of functions or a simple class, that sets rules for each input or query string coming into your script! More people waste time on doing isset(), or empty(), then they need to do. Really, a preprocessor is all you need. Then all you need to do is compare and use CAST values that the script excepts!


What I mean is...

If you have form, that contains a string field, that doesn't allow HTML, then process it as a STR, same goes for any input!

Code: Select all

// only clean and localize value we except


extract ( localize ( $_POST, array ( 'input_one' => 'STR', 'input_two' => 'INT', 'input_three' => 'URL' ) ) );

function localize ( $http, $n )
{
	$r = array ();

	foreach ( $n AS $k => $v )
	{
		if ( ! isset ( $http[$k] ) )
		{
			$http[$k] = '';
		}

		switch ( $v )
		{
			case 'INT' :
			$r[$k] = intval ( $http[$k] );
			break;
			case 'STR' :
			$r[$k] = trim ( $http[$k] );
			break;
			case 'URL' :
			$r[$k] = trim ( rawurldecode ( $http[$k] ) );
			break;
			case 'HTML' :
			$r[$k] = html_clean ( trim ( $http[$k] ) );
			break;
		}
	}

	return ( $r );
}

function html_clean ( $v )
{
	return str_replace ( array ( '<', '>', '"' ), array ( '<', '>', '"' ), preg_replace ( '/&(?!#[0-9]+;)/si', '&', $v ) );
}

pif!
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

or just escape/convert only, and I do mean only, the data you require, and only escape/convert the data for it's relevant purpose.. blanket escaping leads to difficulties.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Usually rather than adding slashes when magic_quotes is off the opposite is done -- remove slashes when magic_quotes is on. Then all of your data is in its original state and you can use the appropriate function to escape depending on where the data is going.
(#10850)
Post Reply