one function for all security threats?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

benyboi
Forum Commoner
Posts: 80
Joined: Sat Feb 24, 2007 5:37 am

one function for all security threats?

Post by benyboi »

Is there a function which i can pass a variable through which will remove security threats etc? If not can someone point me in the right direction for this.

Thanks
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

yea it's awesome_magical_super_wonder_function() :lol:

Here's a good place to start: viewtopic.php?t=29269
benyboi
Forum Commoner
Posts: 80
Joined: Sat Feb 24, 2007 5:37 am

Post by benyboi »

haha :lol: thanks
benyboi
Forum Commoner
Posts: 80
Joined: Sat Feb 24, 2007 5:37 am

Post by benyboi »

anyone got any pieces of code which i can try and inject into my site?

thanks
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

benyboi wrote:anyone got any pieces of code which i can try and inject into my site?

thanks
You will be hard pushed to find anything of that sort from here. :)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

The Ninja Space Goat wrote:yea it's awesome_magical_super_wonder_function() :lol:
That has been depricated ... use:

awesome_magical_real_super_wonder_function([mixed $pixiedust])


Seriously, what security measures to take depends on where the data is coming from and were it is going to.
(#10850)
benyboi
Forum Commoner
Posts: 80
Joined: Sat Feb 24, 2007 5:37 am

Post by benyboi »

checking a variable which defines what page is to be loaded.
e.g: index.php?page=blah

where the 'blah' bit needs to be checked.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Now we know where the data is from. What are you going to do with $_GET['blah']?
(#10850)
benyboi
Forum Commoner
Posts: 80
Joined: Sat Feb 24, 2007 5:37 am

Post by benyboi »

Thats what i was hoping you could help me with!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Let me rephrase what arborint asked: Where are you going to put the data now that you have it in $_GET['blah']?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

No ... I mean how to you want to use the value. For example, there are cases where you don't need to do anything like:

Code: Select all

if ($_GET['blah'] == '1') {
But if you want to echo the value then:

Code: Select all

echo htmlentities($_GET['blah']);
Or to save in a MySQL database:

Code: Select all

$sql = "UPDATE mytable SET blah='" . mysql_real_escape_string($_GET['blah']) . "' WHERE id=$id";
(#10850)
benyboi
Forum Commoner
Posts: 80
Joined: Sat Feb 24, 2007 5:37 am

Post by benyboi »

Ahh i get you...

That made me think tho, i will use a case statement and have all the page names in there and if the user puts in something bad the value won't do anything harmfull!

Hope that works.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

in_array() and array_search() may be of interest.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

anyone got any pieces of code which i can try and inject into my site?
http://ha.ckers.org/xss.html (site's down at the moment, check tomorrow)

However, you'll be hard-pressed to get them to work unless you understand the underlying issues.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

benyboi wrote:That made me think tho, i will use a case statement and have all the page names in there and if the user puts in something bad the value won't do anything harmfull!
Short answer -- No. Short suggestion -- Stop. ;)

Your security features need to be a structural part of the various parts of your code: request, response, database, etc. Some super-function with a big case statement in it is like a big neon sign flashing: wrong, wrong, wrong.
(#10850)
Post Reply