Stepping Up Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Stepping Up Security

Post by Bigun »

I was made aware by Weirdan of a security flaw involving using an injection of sometype.

Code: Select all

http://www.cybergrunge.com/test/view.php?viewband=b-7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
He told me to filter my input. Did he mean for me to run some kind of escape string check on my variables (in this case 'viewband')? Or is there some other way to filter out scripts in the URL?

Also, he mentioned redirecting my errors... how?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Filtering you data is making sure it fits the known expected criteria of the data. If you are placing links around your site that are of the form ?id=5 then you know that you are expecting a number to be tied to the $_GET['id'] var. So, in your script, where you use this data, check to make sure it fits what you expect it to be. If someone gets screwey with your URL and enters ?id=where+1+AND+1+=+1 or whatever the exact string is, they could potentially hose your result set, database or worse, your server.
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

Would a simple mysql_escape_string work?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

mysql_escape_string() and it's better sibling mysql_real_escape_string() only prepare the data to be sent to MySQL. They do not necessarily protect you from sending bad data to MySQL.
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

I'm getting there.

By setting up a few preg_matches the filtering is coming along.

But I have trouble with only two regex strings that I cannot seem to figure out

First:
Letters a-z or the string 'num'

Second:
A selection between 6 preset strings

*EDIT*

Corrected spelling
Last edited by Bigun on Thu Jul 27, 2006 6:02 pm, edited 1 time in total.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

feyd wrote:They do not necessarily protect you from sending bad data to MySQL.
Can you elaborate on "bad data" please?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Can you elaborate on "bad data" please?
Consider XSS attempt... while not harmful to database it could be dangerous to your users.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

astions wrote:Can you elaborate on "bad data" please?
bad data can be anything from information you don't anticipate to data that will make the database kick out an error of some fashion.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Ok thank you.
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

I don't wanna stray from this post... sooo.... any ideas on the regex match string that I can use?

Conditions stated above...
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

For the first one, first check for equality to 'num'. If that fails, check using ctype_lower() (although I think what you want to use is ctype_alpha, since ctype_lower will exclude capital letters in the string). No regexps needed.

For the next one, create a lookup table of the strings:

Code: Select all

$lookup = array(
  'string1' => true,
  'string2' => true,
  // ...
);
And test isset($lookup[$string])
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

I got it, purely using regex.

Anyway....

someone mind running a quick security check on it?

*EDIT*

hold up, got an issue

*EDIT*

Nevermind, got it, Linux permission issue
Dave2000
Forum Contributor
Posts: 126
Joined: Wed Jun 21, 2006 1:48 pm

Post by Dave2000 »

Everah wrote:If you are placing links around your site that are of the form ?id=5 then you know that you are expecting a number to be tied to the $_GET['id'] var.
Is there anything wrong with just doing a simple isnumeric($_GET['id']) check? I mean, would that be enough?

Shears :)
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Personally, I would use ctype_digit().

But yes, that should be enough.
Post Reply