Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
mikelbring
Forum Commoner
Posts: 38 Joined: Sat Jan 05, 2008 5:28 pm
Post
by mikelbring » Sat Nov 29, 2008 9:21 pm
I have a security class in which I have this function.
Code: Select all
public function lockcode(){
function condom($value){
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if (!is_numeric($value)) {
$value = mysql_real_escape_string($value);
}
return $value;
}
array_walk_recursive($_GET, 'condom');
array_walk_recursive($_POST, 'condom');
array_walk_recursive($_COOKIE, 'condom');
array_walk_recursive($_REQUEST, 'condom');
}
I run the function in my globals. Is this a good method/working method?
omniuni
Forum Regular
Posts: 738 Joined: Tue Jul 15, 2008 10:50 pm
Location: Carolina, USA
Post
by omniuni » Sun Nov 30, 2008 2:53 pm
I will say with what I remember from Java, public functions and security don't usually go together. at all.
mikelbring
Forum Commoner
Posts: 38 Joined: Sat Jan 05, 2008 5:28 pm
Post
by mikelbring » Sun Nov 30, 2008 7:41 pm
Well I want to protect all the requests rather then having to do it every page manually.
Mordred
DevNet Resident
Posts: 1579 Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria
Post
by Mordred » Mon Dec 01, 2008 2:54 am
mikelbring
Forum Commoner
Posts: 38 Joined: Sat Jan 05, 2008 5:28 pm
Post
by mikelbring » Mon Dec 01, 2008 5:48 pm
I use the same function that is on that site but I am asking the way I do it. Such as the array function and running the function.
Mordred
DevNet Resident
Posts: 1579 Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria
Post
by Mordred » Tue Dec 02, 2008 5:08 am
It is wrong, the post I linked to explains one reason why.
Another is that you should escape only input to mysql in that manner.
Eran
DevNet Master
Posts: 3549 Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME
Post
by Eran » Tue Dec 02, 2008 5:24 am
Mordred, I have difficulty understanding the problem of using is_numeric() for validating numeric values. Could you elaborate?
Mordred
DevNet Resident
Posts: 1579 Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria
Post
by Mordred » Tue Dec 02, 2008 7:04 am
Eran
DevNet Master
Posts: 3549 Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME
Post
by Eran » Tue Dec 02, 2008 7:24 am
This just breaks the query, no option for SQL injection. Am I right?
mikelbring
Forum Commoner
Posts: 38 Joined: Sat Jan 05, 2008 5:28 pm
Post
by mikelbring » Tue Dec 02, 2008 9:30 pm
I am doing a different method this time, sorta.
Code: Select all
<?
public function cleanInput(array $input) {
if ((ini_get('magic_quotes_gpc'))) {
$trustedInput = array_walk_recursive($input, 'stripslashes');
}
// Escape using mysql_real_escape_string()
$trustedInput = array_walk_recursive($input,'mysql_real_escape_string');
return $trustedInput;
}
?>
My global file:
Code: Select all
<?
$secure->cleanInput($_GET);
$secure->cleanInput($_POST);
$secure->cleanInput($_REQUEST);
$secure->cleanInput($_COOKIE);
?>
mikelbring
Forum Commoner
Posts: 38 Joined: Sat Jan 05, 2008 5:28 pm
Post
by mikelbring » Tue Dec 02, 2008 10:32 pm
After running what I said I get 2 errors
Warning: Wrong parameter count for stripslashes() in /home2/panek/public_html/application/classes/secure.class.php on line 41
Warning: mysql_real_escape_string() expects parameter 2 to be resource, string given in /home2/panek/public_html/application/classes/secure.class.php on line 46
mikelbring
Forum Commoner
Posts: 38 Joined: Sat Jan 05, 2008 5:28 pm
Post
by mikelbring » Tue Dec 02, 2008 11:23 pm
Not trying to double/triple post but I keep getting a little farther. I decided to do this and it seems to be working. I just want to make sure I have some protection.
This is in my secure.cass
Code: Select all
public function clean(&$value){
if (ini_get('magic_quotes_gpc')) $value = stripslashes($value);
$value = mysql_real_escape_string($value);
}
This is in my global.php which is basically on all pages.
Code: Select all
array_walk_recursive($_GET, array($secure,'clean'));
array_walk_recursive($_POST, array($secure,'clean'));
array_walk_recursive($_COOKIE, array($secure,'clean'));
Any input is appreciated.
Mordred
DevNet Resident
Posts: 1579 Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria
Post
by Mordred » Wed Dec 03, 2008 5:00 am
N.O.
Everything I said before still applies.