String conversion to number

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Example:
http://www.example.com/script.php?id[]=1

This will make $_GET['id'] an array.

---------
filter/escape/sanitise/sanitize
I thought from the way I've written it, it is clear that by those things I mean the same. And you've already defined sanitize and validate.

"escape" is what most "sanitizing" functions do - mysql_real_escape_string() for example.
In my opinion validating, filtering and sanitizing, all used on input, are terms used for the same process: making sure only data you want can enter your script/application. Within that process several things can happen. Checking what the input is, returning an error or message, returning true/false, logging something, stripping data, etc etc. It all depends on the specific situation what should be done exactly.
No.
Checking what the input is, returning an error or message
This would be validating. You check and tell the user if it was valid.

This is not, and I stress it - not - a good enough security measure. All things coming from a user-controllable source (this is "input" if you still insist on definitions) should be filtered with a filter apropriate for the function they will be passed to.
Before putting it into a mysql database, we filter it with mysql_real_escape_string()
Before printing it to the user we will filter it with htmlentities()

This is what you called later in that sentence "stripping data". Validation and filtering have different purposes and should be thought of and implemented separately. I will repeat: Filter if you want to be secure, validate if you want to be nice.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

It seems you use very different definitions then I do.

Most of what I've learned about PHP security comes from people like Chris Shiflett and Ilia Alshanetsky. So I use their definitions. Some of them are different then yours. For example you say
Quote:
filter/escape/sanitise/sanitize
I thought from the way I've written it, it is clear that by those things I mean the same. And you've already defined sanitize and validate.
However, filtering and escaping are different things. Again, if I use the way Chris and Ilia define them. Chris uses the mantra "filter input, escape output". What Chris calls filtering Ilia calls validating. But they both concern the input process, were data from outside enters your code.
Example input filtering.

Code: Select all

<?php
$clean = array();

switch($_POST['color'])
{
    case 'red':
    case 'green':
    case 'blue':
        $clean['color'] = $_POST['color'];
        break;
}

if (ctype_alnum($_POST['username']))
{
    $clean['username'] = $_POST['username'];
}

?>
Output escaping is the other end, were data leaves your code.
Example output escaping

Code: Select all

<?php

$html = array();
$html['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8');
echo "<p>Welcome back, {$html['username']}.</p>";

$mysql = array();
$mysql['username'] = mysql_real_escape_string($clean['username']);
$sql = "SELECT *
        FROM   profile
        WHERE  username = '{$mysql['username']}'";
$result = mysql_query($sql);
?>
So for me filter and validating both concern input (from GET, POST, db, etc). Escaping concerns output (to html, db, etc).
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

I see now, we have indeed contradiction in terms. So to you validate=filter, and sanitize=escape, I get it.

I have linguistic objections to the usage of "filter" meaning "validate" and not "sanitize/escape", but I see this doesn't come from you. Also I am not a native English speaker, so I may be wrong.

Still, http://m-w.com/dictionary/filter
3 : something that has the effect of a filter (as by holding back elements or modifying the appearance of something) <his work is too often viewed through the filter of race -- Brent Staples>
"filter=sanitize" falls in this definition, as it holds back potentially dangerous elements of an input, but the end result is passed on, whereas "validating" acts on all inputs, and in result stops or lets through the whole request. Validation is like face control in front of a bar, and filtering is like being checked for weapons and having your gun removed once you're inside (and barbarious enough to carry one ;) )

------------

Anyway, don't let the linguistic debate carry you away from your original question - yes, you need an explicit cast to integer, I already gave you an example why.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Anyway, don't let the linguistic debate carry you away from your original question - yes, you need an explicit cast to integer, I already gave you an example why.
Indeed - the very interesting linguistic debates aside - your example does make something clear.

Code: Select all

<?php
// url is ?id=7
$index = isset($_GET["id"]) ? $_GET["id"]-1 : 0;
// $index is 6

// url is ?id=7hackme
$index = isset($_GET["id"]) ? $_GET["id"]-1 : 0;
// $index is int(6)

// url is ?id[]=7
$index = isset($_GET["id"]) ? $_GET["id"] : 0;
// $index is array(1) { [0]=>  string(1) "7" }

// url is ?id[]=7
$index = isset($_GET["id"]) ? $_GET["id"]-1 : 0;
// Oops, FATAL error : Unsupported operand types in 

// url is ?id[]=7
$index = isset($_GET["id"]) ? (int)$_GET["id"] : 0;
// $index is int(1)

// url is ?id[]=7
$index = isset($_GET["id"]) ? (int)$_GET["id"]-1 : 0;
// $index is int(0)

?>
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Mordred wrote:I'm sorry, you are mistaken, it could also be an array, and that is a common way to find interesting messages with applications that fail to consider the possibility.
I'm sorry too, but your mistaken :P
In your example above, the data is "1", and it's a string - this is the data, not $_GET['id'] which is really an array, but the data isn't. Let's don't be picky though :wink:
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

I'm sorry that you're sorry, but I'm right twice over, because you made two mistakes, reread your posts.

And now you're making a third one - a "data" cannot be a "string", data is data, an abstract thing. We coders work with the syntactic representation it has in our language of choice. Otherwise your statement is the same as saying that all data is binary :)

I'm sorry for being "picky", but these forums are read by newbies and I think it is very dangerous for them as learning programmers to read statements like your big red one. I hope you're not offended, this has nothing to do with you personally, only with your oppinion.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

You are not serious right? (I hope you are not, cause I'm laughing at this whole thing and I hope you do the same) :lol:
Have a nice day :wink:

Edit: By the way, see viewtopic.php?t=35719#209573
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Just check the type then cast it or default it depending on results. For example: is_scalar() :arrow: cast.
Post Reply