Working Method?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mikelbring
Forum Commoner
Posts: 38
Joined: Sat Jan 05, 2008 5:28 pm

Working Method?

Post by mikelbring »

I have a security class in which I have this function.

Code: Select all

public function lockcode(){
    
        function condom($value){
            
            if (get_magic_quotes_gpc()) {
               
                $value = stripslashes($value);
           
            }
            
            if (!is_numeric($value)) {
            
                $value = mysql_real_escape_string($value);
                
            }
            
            return $value;          
                    
        }
    
        array_walk_recursive($_GET, 'condom');
        array_walk_recursive($_POST, 'condom');
        array_walk_recursive($_COOKIE, 'condom');   
        array_walk_recursive($_REQUEST, 'condom');  
        
    }
I run the function in my globals. Is this a good method/working method?
User avatar
omniuni
Forum Regular
Posts: 738
Joined: Tue Jul 15, 2008 10:50 pm
Location: Carolina, USA

Re: Working Method?

Post by omniuni »

I will say with what I remember from Java, public functions and security don't usually go together. at all.
mikelbring
Forum Commoner
Posts: 38
Joined: Sat Jan 05, 2008 5:28 pm

Re: Working Method?

Post by mikelbring »

Well I want to protect all the requests rather then having to do it every page manually.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Working Method?

Post by Mordred »

mikelbring
Forum Commoner
Posts: 38
Joined: Sat Jan 05, 2008 5:28 pm

Re: Working Method?

Post by mikelbring »

I use the same function that is on that site but I am asking the way I do it. Such as the array function and running the function.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Working Method?

Post by Mordred »

It is wrong, the post I linked to explains one reason why.
Another is that you should escape only input to mysql in that manner.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Working Method?

Post by Eran »

Mordred, I have difficulty understanding the problem of using is_numeric() for validating numeric values. Could you elaborate?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Working Method?

Post by Mordred »

User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Working Method?

Post by Eran »

This just breaks the query, no option for SQL injection. Am I right?
mikelbring
Forum Commoner
Posts: 38
Joined: Sat Jan 05, 2008 5:28 pm

Re: Working Method?

Post by mikelbring »

I am doing a different method this time, sorta.

Code: Select all

<?
    public function cleanInput(array $input) {
    
        if ((ini_get('magic_quotes_gpc'))) {
        
            $trustedInput = array_walk_recursive($input, 'stripslashes');
            
        }
        
        // Escape using mysql_real_escape_string()
        $trustedInput = array_walk_recursive($input,'mysql_real_escape_string');
        
        
        return $trustedInput;
        
    }
?>
My global file:

Code: Select all

<?
 
$secure->cleanInput($_GET);
$secure->cleanInput($_POST);
$secure->cleanInput($_REQUEST);
$secure->cleanInput($_COOKIE);
?>
mikelbring
Forum Commoner
Posts: 38
Joined: Sat Jan 05, 2008 5:28 pm

Re: Working Method?

Post by mikelbring »

After running what I said I get 2 errors


Warning: Wrong parameter count for stripslashes() in /home2/panek/public_html/application/classes/secure.class.php on line 41

Warning: mysql_real_escape_string() expects parameter 2 to be resource, string given in /home2/panek/public_html/application/classes/secure.class.php on line 46
mikelbring
Forum Commoner
Posts: 38
Joined: Sat Jan 05, 2008 5:28 pm

Re: Working Method?

Post by mikelbring »

Not trying to double/triple post but I keep getting a little farther. I decided to do this and it seems to be working. I just want to make sure I have some protection.

This is in my secure.cass

Code: Select all

 
public function clean(&$value){
    
        if (ini_get('magic_quotes_gpc')) $value = stripslashes($value);
        
        $value = mysql_real_escape_string($value);
 
    }
 
This is in my global.php which is basically on all pages.

Code: Select all

 
array_walk_recursive($_GET, array($secure,'clean'));
array_walk_recursive($_POST, array($secure,'clean'));
array_walk_recursive($_COOKIE, array($secure,'clean')); 
 
Any input is appreciated.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Working Method?

Post by Mordred »

N.O.
Everything I said before still applies.
Post Reply