Page 1 of 1

Links and help to secure forum code

Posted: Fri Jul 07, 2006 6:23 am
by MrPotatoes
well i'm developing a forum and i think i can finish it actually this weekend (started last night) and i'm worried about security. honestly i've never done security because someone else would worry about that in the team and they were good enough that we never had problems. of course none of us are hackers so don't quote me on that lol

i wanted to know more about sanitizing URL and form data depending on what type it is. for instance i have create new topic well i would want that to be different because any BB code won't be parsed. the actual body can have BB code but it won't have any HTML or it would be limited.

also, this system is basically a system of includes so therefore the forum root index is the front controller and checks the URL or post variable to see what's there and then just includes the correct functions.

the only thing that i'm doing for that is this

Code: Select all

if (!get_magic_quotes_gpc())
{
	array_add_slashes($_GET);
	array_add_slashes($_POST);
	array_add_slashes($_COOKIE);
}
i don't know what i'm trying to stop so therefore i have less of a clue of how to stop it. can you please post some examples and links? that would be super helpful because i think that is the biggest problem that i have to date in coding and not the actual forum

thanx for your replies guys, it's a big help

Posted: Fri Jul 07, 2006 8:10 am
by Ambush Commander
addslashes() to your data does not bring any database security. You must always (if you use MySQL) use mysql_real_escape_string().

Other that, here's some homework to do:

1. Find the difference between filtering and escaping
2. Perform sanity checks on things like numeric ids (make sure they're numeric)
3. Write a database wrapper class that automatically escapes values

Posted: Fri Jul 07, 2006 9:33 pm
by printf
adding slashes to SUPER GLOBALS is really silly, it better to design a set of functions or a simple class, that sets rules for each input or query string coming into your script! More people waste time on doing isset(), or empty(), then they need to do. Really, a preprocessor is all you need. Then all you need to do is compare and use CAST values that the script excepts!


What I mean is...

If you have form, that contains a string field, that doesn't allow HTML, then process it as a STR, same goes for any input!

Code: Select all

// only clean and localize value we except


extract ( localize ( $_POST, array ( 'input_one' => 'STR', 'input_two' => 'INT', 'input_three' => 'URL' ) ) );

function localize ( $http, $n )
{
	$r = array ();

	foreach ( $n AS $k => $v )
	{
		if ( ! isset ( $http[$k] ) )
		{
			$http[$k] = '';
		}

		switch ( $v )
		{
			case 'INT' :
			$r[$k] = intval ( $http[$k] );
			break;
			case 'STR' :
			$r[$k] = trim ( $http[$k] );
			break;
			case 'URL' :
			$r[$k] = trim ( rawurldecode ( $http[$k] ) );
			break;
			case 'HTML' :
			$r[$k] = html_clean ( trim ( $http[$k] ) );
			break;
		}
	}

	return ( $r );
}

function html_clean ( $v )
{
	return str_replace ( array ( '<', '>', '"' ), array ( '<', '>', '"' ), preg_replace ( '/&(?!#[0-9]+;)/si', '&', $v ) );
}

pif!

Posted: Sat Jul 08, 2006 8:13 pm
by Jenk
or just escape/convert only, and I do mean only, the data you require, and only escape/convert the data for it's relevant purpose.. blanket escaping leads to difficulties.

Posted: Sat Jul 08, 2006 8:26 pm
by Christopher
Usually rather than adding slashes when magic_quotes is off the opposite is done -- remove slashes when magic_quotes is on. Then all of your data is in its original state and you can use the appropriate function to escape depending on where the data is going.