When to cleanse input?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

When to cleanse input?

Post by Sequalit »

When would the best place to cleanse (de css/xss) data that gets inputed into the website?

Right when you get the data in your code, such as a login script, at the top of the code before you actually process the login, or while you are processing the login

Examples

login.php

Code: Select all

 
$_SESSION'username = $this->cleanse($_POST'username);
$_SESSION'password = $this->cleanse($_POST'password);
 
processLogin($username, $password);// login function does not have to worry about currupt data, can pull directly from session
//and all other classes can pull from session without worry
 
or have it so all classes have to deal with cleansing the data themselves before they use it?

wait I already know the answer... cleanse it first so you don't have to worry about it during the rest of the code ^.^
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: When to cleanse input?

Post by Mordred »

In the last possible moment (i.e. inside the function).
What you call "cleansing" is not a single thing you do on the input. Every function you call with user-supplied data may require its own "cleansing" mechanism. That's why you don't do it in the beginning of the script - at that point you don't know what you'll use the data for. Btw, it's actually two things called escaping and validation (I feel you're combining both in your "cleansing" term, and they are different things), the first prevents syntactic attacks and the second prevents business logic attacks.
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Re: When to cleanse input?

Post by Sequalit »

what is a business logic attack?

Ok thanks for info.

Was wondering, it would be alot easier to design a global function for escaping and one for validation, and if i have to change something change it there, instead of having to change it in every little module of my web application.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: When to cleanse input?

Post by matthijs »

Sequalit wrote:Was wondering, it would be alot easier to design a global function for escaping and one for validation, and if i have to change something change it there, instead of having to change it in every little module of my web application.
But that's the thing: there can not be a single global function for escaping and one for validation. That's impossible. Why? How data should be validated or escaped depends on he context.

In one layer of your system, you validate a piece of data with function X, in another layer of your system you validate that same piece of data with function Y. To give a concrete example: when you put data in a mysql db, you escape it with mysql_real_escape_strings(). if you output that same piece of data to HTML, you escape it with htmlentities(). (roughly, there's more ways)

If you think about it, it's quite logical. Say you have a piece of text with some html code. That little snippet of html doesn't do any harm when it's placed in your db. However, when it's outputted on your webpage, that same piece of HTML can be harmful.
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Re: When to cleanse input?

Post by Sequalit »

aite.

Is there a resource on the web that explains each situation you should use those commands for escaping/validation?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: When to cleanse input?

Post by matthijs »

A good start is http://phpsecurity.org/ and the authors' site
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Re: When to cleanse input?

Post by Sequalit »

Okay thank you for those links, will get reading up on em :)

Thank you for your time and help!
Post Reply