Page 2 of 2

Posted: Thu Jan 04, 2007 8:39 am
by Mordred
Example:
http://www.example.com/script.php?id[]=1

This will make $_GET['id'] an array.

---------
filter/escape/sanitise/sanitize
I thought from the way I've written it, it is clear that by those things I mean the same. And you've already defined sanitize and validate.

"escape" is what most "sanitizing" functions do - mysql_real_escape_string() for example.
In my opinion validating, filtering and sanitizing, all used on input, are terms used for the same process: making sure only data you want can enter your script/application. Within that process several things can happen. Checking what the input is, returning an error or message, returning true/false, logging something, stripping data, etc etc. It all depends on the specific situation what should be done exactly.
No.
Checking what the input is, returning an error or message
This would be validating. You check and tell the user if it was valid.

This is not, and I stress it - not - a good enough security measure. All things coming from a user-controllable source (this is "input" if you still insist on definitions) should be filtered with a filter apropriate for the function they will be passed to.
Before putting it into a mysql database, we filter it with mysql_real_escape_string()
Before printing it to the user we will filter it with htmlentities()

This is what you called later in that sentence "stripping data". Validation and filtering have different purposes and should be thought of and implemented separately. I will repeat: Filter if you want to be secure, validate if you want to be nice.

Posted: Thu Jan 04, 2007 9:15 am
by matthijs
It seems you use very different definitions then I do.

Most of what I've learned about PHP security comes from people like Chris Shiflett and Ilia Alshanetsky. So I use their definitions. Some of them are different then yours. For example you say
Quote:
filter/escape/sanitise/sanitize
I thought from the way I've written it, it is clear that by those things I mean the same. And you've already defined sanitize and validate.
However, filtering and escaping are different things. Again, if I use the way Chris and Ilia define them. Chris uses the mantra "filter input, escape output". What Chris calls filtering Ilia calls validating. But they both concern the input process, were data from outside enters your code.
Example input filtering.

Code: Select all

<?php
$clean = array();

switch($_POST['color'])
{
    case 'red':
    case 'green':
    case 'blue':
        $clean['color'] = $_POST['color'];
        break;
}

if (ctype_alnum($_POST['username']))
{
    $clean['username'] = $_POST['username'];
}

?>
Output escaping is the other end, were data leaves your code.
Example output escaping

Code: Select all

<?php

$html = array();
$html['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8');
echo "<p>Welcome back, {$html['username']}.</p>";

$mysql = array();
$mysql['username'] = mysql_real_escape_string($clean['username']);
$sql = "SELECT *
        FROM   profile
        WHERE  username = '{$mysql['username']}'";
$result = mysql_query($sql);
?>
So for me filter and validating both concern input (from GET, POST, db, etc). Escaping concerns output (to html, db, etc).

Posted: Thu Jan 04, 2007 9:41 am
by Mordred
I see now, we have indeed contradiction in terms. So to you validate=filter, and sanitize=escape, I get it.

I have linguistic objections to the usage of "filter" meaning "validate" and not "sanitize/escape", but I see this doesn't come from you. Also I am not a native English speaker, so I may be wrong.

Still, http://m-w.com/dictionary/filter
3 : something that has the effect of a filter (as by holding back elements or modifying the appearance of something) <his work is too often viewed through the filter of race -- Brent Staples>
"filter=sanitize" falls in this definition, as it holds back potentially dangerous elements of an input, but the end result is passed on, whereas "validating" acts on all inputs, and in result stops or lets through the whole request. Validation is like face control in front of a bar, and filtering is like being checked for weapons and having your gun removed once you're inside (and barbarious enough to carry one ;) )

------------

Anyway, don't let the linguistic debate carry you away from your original question - yes, you need an explicit cast to integer, I already gave you an example why.

Posted: Thu Jan 04, 2007 10:46 am
by matthijs
Anyway, don't let the linguistic debate carry you away from your original question - yes, you need an explicit cast to integer, I already gave you an example why.
Indeed - the very interesting linguistic debates aside - your example does make something clear.

Code: Select all

<?php
// url is ?id=7
$index = isset($_GET["id"]) ? $_GET["id"]-1 : 0;
// $index is 6

// url is ?id=7hackme
$index = isset($_GET["id"]) ? $_GET["id"]-1 : 0;
// $index is int(6)

// url is ?id[]=7
$index = isset($_GET["id"]) ? $_GET["id"] : 0;
// $index is array(1) { [0]=>  string(1) "7" }

// url is ?id[]=7
$index = isset($_GET["id"]) ? $_GET["id"]-1 : 0;
// Oops, FATAL error : Unsupported operand types in 

// url is ?id[]=7
$index = isset($_GET["id"]) ? (int)$_GET["id"] : 0;
// $index is int(1)

// url is ?id[]=7
$index = isset($_GET["id"]) ? (int)$_GET["id"]-1 : 0;
// $index is int(0)

?>

Posted: Thu Jan 04, 2007 3:00 pm
by Oren
Mordred wrote:I'm sorry, you are mistaken, it could also be an array, and that is a common way to find interesting messages with applications that fail to consider the possibility.
I'm sorry too, but your mistaken :P
In your example above, the data is "1", and it's a string - this is the data, not $_GET['id'] which is really an array, but the data isn't. Let's don't be picky though :wink:

Posted: Fri Jan 05, 2007 2:36 am
by Mordred
I'm sorry that you're sorry, but I'm right twice over, because you made two mistakes, reread your posts.

And now you're making a third one - a "data" cannot be a "string", data is data, an abstract thing. We coders work with the syntactic representation it has in our language of choice. Otherwise your statement is the same as saying that all data is binary :)

I'm sorry for being "picky", but these forums are read by newbies and I think it is very dangerous for them as learning programmers to read statements like your big red one. I hope you're not offended, this has nothing to do with you personally, only with your oppinion.

Posted: Fri Jan 05, 2007 10:28 am
by Oren
You are not serious right? (I hope you are not, cause I'm laughing at this whole thing and I hope you do the same) :lol:
Have a nice day :wink:

Edit: By the way, see viewtopic.php?t=35719#209573

Posted: Fri Jan 05, 2007 10:50 am
by feyd
Just check the type then cast it or default it depending on results. For example: is_scalar() :arrow: cast.