Re: [PHP] Re: sanitizing/security
--- Richard Lynch [EMAIL PROTECTED] wrote: What regular expression does one use when there really isn't a whole lot you can say about the text?... I mean, say for a guestbook or bulletin board or for a person's Bio or... You can limit it to a certain number of characters in length. You can mess with strip_tags and also do an ereg to rip out any kind of JavaScript on tags you want to *allow*. But then what? I mean, it seems like there's still an awful lot of wiggle room for mischief there, in an arbitrary string typed by the user. This type of data is certainly the most difficult to filter, especially if you try to adhere to very strict security principles. You start with the same question as with any other data - what exactly do I want to allow? This is much easier and less prone to error than asking what you want to reject. If someone is entering a bio, a whitelist is difficult to create, but not impossible. The best approach to take when valid data is an unknown is to create a system that learns. This can be as simple as enabling a whitelist approach, and logging all failures, but using some other method for interim protection (e.g., a whitelist failure is not considered a security breach). Manual inspection of failures can be used to enhance the whitelist, and once you feel it is capable, you can switch to this as the primary method of protection. I must admit that I often take the lazy way out (with the caveat that some situations demand a higher level of security and a more strict adherence to best practices). The lazy way to filter output is htmlentities(), a function that converts every character that has an equivalent HTML entity to that entity. Thus, any character that may have special meaning to a browser is converted to something that is only useful in displaying that character. If you want to allow some markup, convert those back (use a literal match when possible - pattern matching as a good last resort). When using something in an SQL query, there are some good escaping functions that can be used. I feel pretty comfortable using mysql_escape_string() on any data to eliminate the practicality of SQL injection. Of course, this shouldn't be a complete substitute for proper data filtering, so I'm still talking about the lazy (or least you can do) approach. So, while I agree that free-form text is very difficult to filter, there are some pretty simple steps you can take to mitigate the risks, or you can adhere to strict practices if you work at it. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming Soon http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sanitizing/security
Matthew Weier O'Phinney wrote:
* Sebastian [EMAIL PROTECTED]:
just a question, what is the best way to sanitize your scripts when
you're
using $_GET or $_REQUEST in a query?
eg, i usually just do:
if(is_numeric($_REQUEST['id']))
{
mysql_query(SELECT id FROM table WHERE
id=.intval($_REQUEST['id']).);
}
what about when the GET is text? just use htmlspecialchars?
just looking for some advice to help keep my apps secure.
The proper method for doing this is to 'whitelist' -- in other words,
assume data is tainted, and only allow it if it passes certain criteria.
For text, you'll typically want to define what is allowed, create a
regular expression, and pass the value through that expression (this is
often called 'filtering').
By the way, if you're needing an integer ID in the test above, testing
for is_numeric() will not be enough -- it returns floats as well as
integers. Try:
if ($_REQUEST['id'] == strval(intval($_REQUEST['id'])))
For an id, you may also want to do:
$id = (int) $_REQUEST['id'];
if ($id 0){
}
While I can't think how a value of -5 is going to mess you up in any big
way, you might as well eliminate it, since it's not valid.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sanitizing/security
what about when the GET is text? just use htmlspecialchars? just looking for some advice to help keep my apps secure. What regular expression does one use when there really isn't a whole lot you can say about the text?... I mean, say for a guestbook or bulletin board or for a person's Bio or... You can limit it to a certain number of characters in length. You can mess with strip_tags and also do an ereg to rip out any kind of JavaScript on tags you want to *allow*. But then what? I mean, it seems like there's still an awful lot of wiggle room for mischief there, in an arbitrary string typed by the user. Do you typically check for the distribution of ABCDEF...XYZ and if it is too far from standard English, disallow it? How do you do that clearly/easily? What more *can* be done to validate data that is so free-form essentially? -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: sanitizing/security
* Sebastian [EMAIL PROTECTED]:
just a question, what is the best way to sanitize your scripts when you're
using $_GET or $_REQUEST in a query?
eg, i usually just do:
if(is_numeric($_REQUEST['id']))
{
mysql_query(SELECT id FROM table WHERE
id=.intval($_REQUEST['id']).);
}
what about when the GET is text? just use htmlspecialchars?
just looking for some advice to help keep my apps secure.
The proper method for doing this is to 'whitelist' -- in other words,
assume data is tainted, and only allow it if it passes certain criteria.
For text, you'll typically want to define what is allowed, create a
regular expression, and pass the value through that expression (this is
often called 'filtering').
By the way, if you're needing an integer ID in the test above, testing
for is_numeric() will not be enough -- it returns floats as well as
integers. Try:
if ($_REQUEST['id'] == strval(intval($_REQUEST['id'])))
In terms of sanitizing data for insertion into a database -- or even for
re-display to users -- you'll typically want to use htmlentities()
and/or strip_tags() first (after you've validated that data, that is).
Then, for insertion into the database, use your database driver's
quoting method. In MySQL, this is mysql_real_escape_string().
Alternatively, use a database abstraction layer such as ADODB or
PEAR::DB/MDB2 and use its prepare() functionality (that way you don't
need to know the db's specific functions).
--
Matthew Weier O'Phinney | mailto:[EMAIL PROTECTED]
Webmaster and IT Specialist | http://www.garden.org
National Gardening Association| http://www.kidsgardening.com
802-863-5251 x156 | http://nationalgardenmonth.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: sanitizing/security
mysql_escape_string() is what you're looking for.
Jed
Sebastian wrote:
just a question, what is the best way to sanitize your scripts when you're
using $_GET or $_REQUEST in a query?
eg, i usually just do:
if(is_numeric($_REQUEST['id']))
{
mysql_query(SELECT id FROM table WHERE
id=.intval($_REQUEST['id']).);
}
what about when the GET is text? just use htmlspecialchars?
just looking for some advice to help keep my apps secure.
cheers
--
_
(_)___Jed Smith, Code Monkey
| / __| [EMAIL PROTECTED] | [EMAIL PROTECTED]
| \__ \ +1 541 606-4145
_/ |___/ Signed mail preferred (PGP 0x703F9124)
|__/http://personal.jed.bz/keys/jedsmith.asc
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
