Page 1 of 1
Working Method?
Posted: Sat Nov 29, 2008 9:21 pm
by mikelbring
I have a security class in which I have this function.
Code: Select all
public function lockcode(){
function condom($value){
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if (!is_numeric($value)) {
$value = mysql_real_escape_string($value);
}
return $value;
}
array_walk_recursive($_GET, 'condom');
array_walk_recursive($_POST, 'condom');
array_walk_recursive($_COOKIE, 'condom');
array_walk_recursive($_REQUEST, 'condom');
}
I run the function in my globals. Is this a good method/working method?
Re: Working Method?
Posted: Sun Nov 30, 2008 2:53 pm
by omniuni
I will say with what I remember from Java, public functions and security don't usually go together. at all.
Re: Working Method?
Posted: Sun Nov 30, 2008 7:41 pm
by mikelbring
Well I want to protect all the requests rather then having to do it every page manually.
Re: Working Method?
Posted: Mon Dec 01, 2008 2:54 am
by Mordred
Re: Working Method?
Posted: Mon Dec 01, 2008 5:48 pm
by mikelbring
I use the same function that is on that site but I am asking the way I do it. Such as the array function and running the function.
Re: Working Method?
Posted: Tue Dec 02, 2008 5:08 am
by Mordred
It is wrong, the post I linked to explains one reason why.
Another is that you should escape only input to mysql in that manner.
Re: Working Method?
Posted: Tue Dec 02, 2008 5:24 am
by Eran
Mordred, I have difficulty understanding the problem of using is_numeric() for validating numeric values. Could you elaborate?
Re: Working Method?
Posted: Tue Dec 02, 2008 7:04 am
by Mordred
Re: Working Method?
Posted: Tue Dec 02, 2008 7:24 am
by Eran
This just breaks the query, no option for SQL injection. Am I right?
Re: Working Method?
Posted: Tue Dec 02, 2008 9:30 pm
by mikelbring
I am doing a different method this time, sorta.
Code: Select all
<?
public function cleanInput(array $input) {
if ((ini_get('magic_quotes_gpc'))) {
$trustedInput = array_walk_recursive($input, 'stripslashes');
}
// Escape using mysql_real_escape_string()
$trustedInput = array_walk_recursive($input,'mysql_real_escape_string');
return $trustedInput;
}
?>
My global file:
Code: Select all
<?
$secure->cleanInput($_GET);
$secure->cleanInput($_POST);
$secure->cleanInput($_REQUEST);
$secure->cleanInput($_COOKIE);
?>
Re: Working Method?
Posted: Tue Dec 02, 2008 10:32 pm
by mikelbring
After running what I said I get 2 errors
Warning: Wrong parameter count for stripslashes() in /home2/panek/public_html/application/classes/secure.class.php on line 41
Warning: mysql_real_escape_string() expects parameter 2 to be resource, string given in /home2/panek/public_html/application/classes/secure.class.php on line 46
Re: Working Method?
Posted: Tue Dec 02, 2008 11:23 pm
by mikelbring
Not trying to double/triple post but I keep getting a little farther. I decided to do this and it seems to be working. I just want to make sure I have some protection.
This is in my secure.cass
Code: Select all
public function clean(&$value){
if (ini_get('magic_quotes_gpc')) $value = stripslashes($value);
$value = mysql_real_escape_string($value);
}
This is in my global.php which is basically on all pages.
Code: Select all
array_walk_recursive($_GET, array($secure,'clean'));
array_walk_recursive($_POST, array($secure,'clean'));
array_walk_recursive($_COOKIE, array($secure,'clean'));
Any input is appreciated.
Re: Working Method?
Posted: Wed Dec 03, 2008 5:00 am
by Mordred
N.O.
Everything I said before still applies.