Page 1 of 1

Working Method?

Posted: Sat Nov 29, 2008 9:21 pm
by mikelbring
I have a security class in which I have this function.

Code: Select all

public function lockcode(){
    
        function condom($value){
            
            if (get_magic_quotes_gpc()) {
               
                $value = stripslashes($value);
           
            }
            
            if (!is_numeric($value)) {
            
                $value = mysql_real_escape_string($value);
                
            }
            
            return $value;          
                    
        }
    
        array_walk_recursive($_GET, 'condom');
        array_walk_recursive($_POST, 'condom');
        array_walk_recursive($_COOKIE, 'condom');   
        array_walk_recursive($_REQUEST, 'condom');  
        
    }
I run the function in my globals. Is this a good method/working method?

Re: Working Method?

Posted: Sun Nov 30, 2008 2:53 pm
by omniuni
I will say with what I remember from Java, public functions and security don't usually go together. at all.

Re: Working Method?

Posted: Sun Nov 30, 2008 7:41 pm
by mikelbring
Well I want to protect all the requests rather then having to do it every page manually.

Re: Working Method?

Posted: Mon Dec 01, 2008 2:54 am
by Mordred

Re: Working Method?

Posted: Mon Dec 01, 2008 5:48 pm
by mikelbring
I use the same function that is on that site but I am asking the way I do it. Such as the array function and running the function.

Re: Working Method?

Posted: Tue Dec 02, 2008 5:08 am
by Mordred
It is wrong, the post I linked to explains one reason why.
Another is that you should escape only input to mysql in that manner.

Re: Working Method?

Posted: Tue Dec 02, 2008 5:24 am
by Eran
Mordred, I have difficulty understanding the problem of using is_numeric() for validating numeric values. Could you elaborate?

Re: Working Method?

Posted: Tue Dec 02, 2008 7:04 am
by Mordred

Re: Working Method?

Posted: Tue Dec 02, 2008 7:24 am
by Eran
This just breaks the query, no option for SQL injection. Am I right?

Re: Working Method?

Posted: Tue Dec 02, 2008 9:30 pm
by mikelbring
I am doing a different method this time, sorta.

Code: Select all

<?
    public function cleanInput(array $input) {
    
        if ((ini_get('magic_quotes_gpc'))) {
        
            $trustedInput = array_walk_recursive($input, 'stripslashes');
            
        }
        
        // Escape using mysql_real_escape_string()
        $trustedInput = array_walk_recursive($input,'mysql_real_escape_string');
        
        
        return $trustedInput;
        
    }
?>
My global file:

Code: Select all

<?
 
$secure->cleanInput($_GET);
$secure->cleanInput($_POST);
$secure->cleanInput($_REQUEST);
$secure->cleanInput($_COOKIE);
?>

Re: Working Method?

Posted: Tue Dec 02, 2008 10:32 pm
by mikelbring
After running what I said I get 2 errors


Warning: Wrong parameter count for stripslashes() in /home2/panek/public_html/application/classes/secure.class.php on line 41

Warning: mysql_real_escape_string() expects parameter 2 to be resource, string given in /home2/panek/public_html/application/classes/secure.class.php on line 46

Re: Working Method?

Posted: Tue Dec 02, 2008 11:23 pm
by mikelbring
Not trying to double/triple post but I keep getting a little farther. I decided to do this and it seems to be working. I just want to make sure I have some protection.

This is in my secure.cass

Code: Select all

 
public function clean(&$value){
    
        if (ini_get('magic_quotes_gpc')) $value = stripslashes($value);
        
        $value = mysql_real_escape_string($value);
 
    }
 
This is in my global.php which is basically on all pages.

Code: Select all

 
array_walk_recursive($_GET, array($secure,'clean'));
array_walk_recursive($_POST, array($secure,'clean'));
array_walk_recursive($_COOKIE, array($secure,'clean')); 
 
Any input is appreciated.

Re: Working Method?

Posted: Wed Dec 03, 2008 5:00 am
by Mordred
N.O.
Everything I said before still applies.