Page 1 of 1
Stepping Up Security
Posted: Thu Jul 20, 2006 9:49 am
by Bigun
I was made aware by Weirdan of a security flaw involving using an injection of sometype.
Code: Select all
http://www.cybergrunge.com/test/view.php?viewband=b-7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
He told me to filter my input. Did he mean for me to run some kind of escape string check on my variables (in this case 'viewband')? Or is there some other way to filter out scripts in the URL?
Also, he mentioned redirecting my errors... how?
Posted: Thu Jul 20, 2006 12:49 pm
by RobertGonzalez
Filtering you data is making sure it fits the known expected criteria of the data. If you are placing links around your site that are of the form ?id=5 then you know that you are expecting a number to be tied to the $_GET['id'] var. So, in your script, where you use this data, check to make sure it fits what you expect it to be. If someone gets screwey with your URL and enters ?id=where+1+AND+1+=+1 or whatever the exact string is, they could potentially hose your result set, database or worse, your server.
Posted: Thu Jul 27, 2006 10:48 am
by Bigun
Would a simple mysql_escape_string work?
Posted: Thu Jul 27, 2006 10:51 am
by feyd
mysql_escape_string() and it's better sibling mysql_real_escape_string() only prepare the data to be sent to MySQL. They do not necessarily protect you from sending bad data to MySQL.
Posted: Thu Jul 27, 2006 5:40 pm
by Bigun
I'm getting there.
By setting up a few preg_matches the filtering is coming along.
But I have trouble with only two regex strings that I cannot seem to figure out
First:
Letters a-z or the string 'num'
Second:
A selection between 6 preset strings
*EDIT*
Corrected spelling
Posted: Thu Jul 27, 2006 5:47 pm
by Benjamin
feyd wrote:They do not necessarily protect you from sending bad data to MySQL.
Can you elaborate on "bad data" please?
Posted: Thu Jul 27, 2006 5:51 pm
by Weirdan
Can you elaborate on "bad data" please?
Consider XSS attempt... while not harmful to database it could be dangerous to your users.
Posted: Thu Jul 27, 2006 5:53 pm
by feyd
astions wrote:Can you elaborate on "bad data" please?
bad data can be anything from information you don't anticipate to data that will make the database kick out an error of some fashion.
Posted: Thu Jul 27, 2006 5:56 pm
by Benjamin
Ok thank you.
Posted: Thu Jul 27, 2006 6:03 pm
by Bigun
I don't wanna stray from this post... sooo.... any ideas on the regex match string that I can use?
Conditions stated above...
Posted: Thu Jul 27, 2006 7:52 pm
by Ambush Commander
For the first one, first check for equality to 'num'. If that fails, check using ctype_lower() (although I think what you want to use is ctype_alpha, since ctype_lower will exclude capital letters in the string). No regexps needed.
For the next one, create a lookup table of the strings:
Code: Select all
$lookup = array(
'string1' => true,
'string2' => true,
// ...
);
And test isset($lookup[$string])
Posted: Thu Jul 27, 2006 8:11 pm
by Bigun
I got it, purely using regex.
Anyway....
someone mind running a quick security check on it?
*EDIT*
hold up, got an issue
*EDIT*
Nevermind, got it, Linux permission issue
Posted: Sat Aug 12, 2006 1:28 pm
by Dave2000
Everah wrote:If you are placing links around your site that are of the form ?id=5 then you know that you are expecting a number to be tied to the $_GET['id'] var.
Is there anything wrong with just doing a simple isnumeric($_GET['id']) check? I mean, would that be enough?
Shears

Posted: Sat Aug 12, 2006 1:38 pm
by Ambush Commander
Personally, I would use
ctype_digit().
But yes, that should be enough.