From: auday dot talib at gmail dot com
Operating system: linux
PHP version: 5.2.6
PHP Bug Type: Feature/Change Request
Bug description: sql injection/xss prevention methods
Description:
------------
Hello
this is auday , i am learning php and reading about security and thought
about the sql injections
we use select from tablename where something = something1 AND
somethingelse = something2
i thought about preventing the sql attackes by these methods
1- use of ANDAND OROR , which mean php will ignore any other or or and
after this
example select from userstable where username = $_POST['username'] ANDAND
Password = $_post['passwor']
so
if password entered with this
OR 1=1 , which is very famous , php will ignore it
2- PHP ignores any logical statments such as OR/AND in any value before
ANDAND or OROR ,
if in the example above someone entered the username with ANDAND or OROR
to make php ignore the other conditions , php should deal with the value as
a text not a logical part
in other word , values used for the sql queries are not processed as a
code by disallowing ANDAND or OROR to be in variables
just like some conditions we have for variables, one more to add is no
OROR ANDAND and any other related things
3- XSS , i know a little bit about php and this one , but i thought about
this method for preventing it
when someone try to pass html code or javascript or even php , php engine
should do these things
A) checking the restriction in php.ini, new lines for example like
therulesforGET = nocode
this is what will turn spaces to , and these < (smaller than) ,
&rt; (greater than)
without the need for regular expressions and other methods ... server
admins can set for example an inifile with
HTMLinPOST['username'] = no
HTMLinPOST['message'] = yes(p,font,etc) // allowed tagsfor this one
HTMLattributesinPOST['message'] = no // or set it to yes but allow style ,
class , color , background and other not harmful things
WHAT i am trying to say is to make php for programmers easier ... they set
the limits their application should have , then php does the regular
expressions part and other stuff
B) setting the formats the same way about
lets say php will take $n as number and $c as character and dot as space
in php.ini
formatforPOST['postalcode'] = $c1$n1$c2.$n2$c3$n3 // canada postal code
lik t5t 1e1 will be the only accepted for this
same for others , $text-ini ( any text ) , $numric-ini ( any number ) i
used ini to make it different a bit
formatforGET['userid'] = $numric-ini // or just numric
so again .. i think php should have these stored in a file that the engine
read and does all the other work
i heared regular expressions is not php, other language called perl , so
we need something like the above as php regular expressions
simply defined , text , nohtml , numric and other things
so i dont have to check is it numric everytime or call function / classes
, i set one line and put that this data coming from post is numric only ...
ERROR MESSAGES
IF not looking the same as what is specified in the ini file , if it is
different , how the programmer should act , php will return error message
stored on the server called POST['userid']error
if it exist i display it ... or deal with it
php-builtin-function-to-check-errors(POST['userid']error) // check if this
got an error ... return true or false
we assume this is new function php introduce
if the POST['userid'] is set in the INI file to be numric only bu it is
entered not numric
php return this error
POST['userid']error = 'not WHATINTHEINI' / this can be !numric
so the programer didnt write and chcecked the varaible , but set it in ini
file , and now got the error code from the function above
if(POST['userid']error) {
dispaly the error by echo ,
echo $_POST['userid']error;
}
i hope this is the write place where i can submit ideas and i hope you
read my message and try to see if there is soemthing useful ,
i hope i didnt waste your time
thanks
--
Edit bug report at http://bugs.php.net/?id=46520&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=46520&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=46520&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=46520&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=46520&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=46520&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=46520&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=46520&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=46520&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=46520&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=46520&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=46520&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=46520&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=46520&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=46520&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46520&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=46520&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=46520&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=46520&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=46520&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=46520&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=46520&r=mysqlcfg
