Interesting, thank you for the contribution.
Same rules can be applied to $_REQUEST and $_POST, but I guess you think
that's already clear from what you write in the last comments.
Unfortunately, many people I think just want ready-made functions to copy
and paste.
You can make it more complete or be more clear in the "FIXME" line. Also,
at least comments shouldn't be self-explained when not talking about them.
Something like:
//FIXME: This code is just an example, it's not complete, don't use it,
just learn what it does and implement something that suit your real needs.
// You may want to apply it to other variables as well, or even not use it
at all (in some special cases.)
(By the way, hi all. I think this is my first post on this list after years
of random reading.)
Pierpaolo D'Aimmo
+1 201 892 1270
dai...@gmail.com
On Wed, May 21, 2014 at 11:09 AM, Gary Mort <garyam...@gmail.com> wrote:
> I was looking at a tutorial written in this century for PHP programming,
> and I had steam come out of my ears.
>
> Even in this day and age, so called PHP 'experts' still write tutorials
> where they create a simple hello world script which uses:
>
> $name = $_GET['name'];
>
> The concept of using the simple filter_input() function is not addressed
> in almost any tutorials, and those that do address it don't bother untill
> the second half of the book.
>
> I understand why they do this. Explaining all the intricacies of
> filter_input is an advanced topic. Moreover, using $_GET and $_POST make
> it very easy for instructional purposes to provide visual cues to the
> student for where this data comes from.
>
> Never the less, since we can create closure's in PHP and bind them to
> variables, it's a simple matter to use an anonymous function bound to $get
> and still maintain clarity. It can even be bound to $_GET so all they need
> to do is change [] to ()!
>
> So I wanted some feedback on the wording of the following to promote using
> 4 little lines of code to reduce PHP security issues:
>
> ## Do not do as they doAs you learn how to program in PHP you will find
> almost all instructional tutorials as of 2014 do you a grave injustice. They
> teach you how to write dangerous, hackable, insecure PHP code.
>
> Since I can't wave a magic wand and make all those tutorials fix themselves,
> I have decided to instead provide you with a simple way to not let them do
> this to you.
>
> For any tutorial which ever tells you to get data submitted by a user by
> using the $_GET superglobal variable, you can perform a simple substitution:
>
> If they say:
> $exampleVariable = $_GET['exampleVariable'];
>
> You should use:
> $exampleVariable = $get('examplevariable);
>
> This is a small change that looks similar visually, so it makes it easy for
> you to substitute. Instead of getting the data from an array, you are
> getting the data using a function.
>
> Now in addition to the above, you will ALSO need to create this function. So
> at the top of any PHP file where you will be using this function, simple add
> the following 4 lines:
>
>
> // FIXME: replace this with a more complete data sanitizing script
> if isset($_GET) { unset($_GET); } // Force yourself not to use the global
> variable
> $get = function($varName) {
> return filter_input(INPUT_GET, $varName, FILTER_SANITIZE_STRING); }
>
> ## What this does
> // FIXME: replace this with a more complete data sanitizing script
> This is a PHP comment, it is not executable code. This is simply a notation
> to remind you in the future if you are using this file for a production
> website, to go back and replace this code with more appropriate and secure
> code.
>
> if isset($_GET) { unset($_GET); } // Force yourself not to use the global
> variable
> This line is to force you not use the $_GET array by deleting it. That way
> if you cut and paste code from a tutorial, you won't accidentally introduce
> security issues if you forget to make the neccessary changes.
>
>
> $get = function($varName) {
> return filter_input(INPUT_GET, $varName, FILTER_SANITIZE_STRING); }
>
> These 2 lines create a function to remove any HTML tags from a query string
> variable and return it. The function is a special PHP construct called a
> closure, which you can learn about later, which allows it to be refereneced
> by a variable. The purpose of using this odd construct is that it allows you
> to reuse these 2 lines of code multiple times in a PHP application without
> having to worry about duplicate function names.
>
> The filter_input is a PHP function which provides a create deal more security
> options then just the one I have used here. It is up to you to learn about
> and use those options appropriately. What I have included here is the bare
> minimum to provide some basic security AND to allow you to easily increase
> your security incremementally. For example, instead of having to rewrite
> every single PHP program you write in the beginning, you merely need to
> search for all the FIXME strings and change filter_input(INPUT_GET, $varName,
> FILTER_SANITIZE_STRING) to something more appropriate for your specific needs.
>
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show-participation
>
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show-participation
