RE: [PHP-DB] Sanitizing user input for interaction with DB.

2002-01-13 Thread Beau Lebens 

Hi Benny,
I know this is a bit of a run-around again, but try the annotated manual on
php.net, it has some good examples of using things here and there.

Specifically useful functions are

htmlspecialentities()
htmlspecialchars()
addslashes()
stripslashes()
nl2br()

also, as far as using regexps goes, you would probably normally want to do
something like (pseudo-esqu :P)

if (!eregi(expression, string)) {
fail;
}

hope something in there helps :)

/beau

// -Original Message-
// From: C. Bensend [mailto:[EMAIL PROTECTED]]
// Sent: Monday, 14 January 2002 10:49 AM
// To: [EMAIL PROTECTED]
// Subject: [PHP-DB] Sanitizing user input for interaction with DB.
// 
// 
// 
// Hey folks,
// 
//  Let me preface this with the fact that I know
// information like this exists online, but it's a bear
// trying to find good examples.  I checked the list archives,
// and got minimal information.  Also, I'm posting to this list
// rather than the -users because this does target a database
// environment.
// 
//  I am working on a very basic project to put a bunch
// of computer-related information into a searchable PostgreSQL
// database.  I'm using PHP 4.0.6 to connect to PostgreSQL
// 7.1.2, via Apache 1.3.20.
// 
//  I'm a sysadmin, so one of my first concerns is for
// my site to be as secure as I can make it, without crippling
// my ability to do anything.  Hence, I have taken reasonable
// steps to minimize the chances of problems, like connecting
// to the database with an unprivileged user (SELECT privs
// on only the necessesary tables).  The user can't DROP, or
// INSERT, or anything.
// 
//  I'm now looking for real, working examples for scrubbing
// input submitted via a form.  I've gone over code snippets, read
// security-related articles, and haven't been able to find any
// real (read - targetted at beginning developers) examples for
// this.  I want to take the safer approach, and only allow a set
// of characters, rather than trying to weed out the evil.
// 
//  I would greatly appreciate it if you folks could
// pass me some URL's for this, or some small blurbs of code...
// I've read dozens of 'use regex' hints, but I need to understand
// a bit more about how to _use_ them, not how to _form_ them.
// 
// Sorry to be so long winded...  I appreciate any tips/tricks/URLs
// you can give me.  :)  Thanks!
// 
// Benny
// 
// 
// ~~
// A 'good' landing is one from which you can walk away. A 'great'
// landing is one after which they can use the plane again.
// --Rules of the Air, #8
// 
// 
// 
// -- 
// PHP Database Mailing List (http://www.php.net/)
// To unsubscribe, e-mail: [EMAIL PROTECTED]
// For additional commands, e-mail: [EMAIL PROTECTED]
// To contact the list administrators, e-mail: 
// [EMAIL PROTECTED]
// 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DB] Sanitizing user input for interaction with DB.

2002-01-13 Thread Bogdan Stancescu 

I've started a thread on the topic some time ago on the php list, after some
extensive reading and testing and these were the main conclusions:
1.1. ALWAYS pass addslashed values and always pass them quoted in the SQL
statement. That is insert into table1 set id='$id' even if $id is known to
always have numeric values. That's because you may get an $id='; delete
where 1=1'. This specific situation results in an error message in MySQL,
but... better safe than sorry. If you do this, make sure you addslshes($id)
beforehand - otherwise you may get an $id='; delete where 1=1 and that
would still be potentially dangerous.
An alternative to this would be
1.2. addslashes() to text values and for numeric values just do an
$id=abs($id) beforehand - this elimiates text from $id, evaluating it to
an integer/float.

2. Make sure you are extra careful with delete statements. In generic
statements, your main concern should be general security, so that people
can't access data they're not supposed to (that's because, as I said,
passing two SQL statements usually issues an error). In delete statements
however, you may get for your delete from table1 where id=$id a $id of the
form 1 or 1=1 which would delete you whole table.

3. OT, but you should be very extra super careful when using exec()

Well, that's about all there is to it (in my opinion anyways). The big
problem is sticking to it and always use these. The problem is even bigger
if you develop for open-source because... You get it...

Bogdan

PS. Only now have I noticed you are using PostgreSQL. Never worked with it
but it seems it's able to accept multiple queries from a single PHP call, so
you should seriously consider points 1.1 and 1.2.



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]