security holes in a few php functions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
shawngoldw
Forum Contributor
Posts: 212
Joined: Mon Apr 05, 2010 3:38 pm

security holes in a few php functions

Post by shawngoldw »

I was wondering if there were any known holes in any of the following functions:

ctype_alnum()
ctype_alpha()
is_numeric()

I'm talking security holes in the sense that I am taking form data and using these functions to make sure that no malicious input was used, only characters which I expect. Potentially, can someone submit hex codes or some other encoding and get through these filters and have their malicious input injected into mysql or the page?

Thanks,
Shawn
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: security holes in a few php functions

Post by superdezign »

Depends on what you do with the data after you check it's validity with these functions. But if you are asking if these functions return false positives, then the answer is no.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: security holes in a few php functions

Post by Mordred »

You must always properly escape what you put in a SQL query.
Do not rely on ANY validation functions. Validation is part of the business logic, the DB layer should escape.

These three may pass data that one would not normally (i.e. without having read the manual carefully) expect them to. The first two are locale dependent, they may return WHATEVER as valid. The third will return validate things like 0xABCD, 1e36, 40.123, 0987 which may or may not be "numeric" according to the database layer.

In short, use this for validation (optional). Do not use them instead of escaping.

[quote=superdezign]But if you are asking if these functions return false positives, then the answer is no.[/quote]
While technically this is true (yes, the functions work as defined), the results are not consistent with what many programmers expect, and most importantly the results are not consistent with what the database expects!
shawngoldw
Forum Contributor
Posts: 212
Joined: Mon Apr 05, 2010 3:38 pm

Re: security holes in a few php functions

Post by shawngoldw »

thanks, I was really asking about false positives but as usual Mordred's input is useful.
Post Reply