Why use an anonymous function? That seems less readable than declaring function get( $varName ), and the explanation of anonymous functions distracts from your point, which is that you should always filter input.
But yeah, quick tutorials tend to over-simplify. Writers make a lot of assumptions about readers' awareness of security issues and good coding practices. It's a fundamental problem -- PHP is easy to learn, but a security mindset is difficult to teach. Chris Snyder http://chxor.chxo.com/ On Wed, May 21, 2014 at 11:09 AM, Gary Mort <garyam...@gmail.com> wrote: > I was looking at a tutorial written in this century for PHP programming, > and I had steam come out of my ears. > > Even in this day and age, so called PHP 'experts' still write tutorials > where they create a simple hello world script which uses: > > $name = $_GET['name']; > > The concept of using the simple filter_input() function is not addressed > in almost any tutorials, and those that do address it don't bother untill > the second half of the book. > > I understand why they do this. Explaining all the intricacies of > filter_input is an advanced topic. Moreover, using $_GET and $_POST make > it very easy for instructional purposes to provide visual cues to the > student for where this data comes from. > > Never the less, since we can create closure's in PHP and bind them to > variables, it's a simple matter to use an anonymous function bound to $get > and still maintain clarity. It can even be bound to $_GET so all they need > to do is change [] to ()! > > So I wanted some feedback on the wording of the following to promote using > 4 little lines of code to reduce PHP security issues: > > ## Do not do as they doAs you learn how to program in PHP you will find > almost all instructional tutorials as of 2014 do you a grave injustice. They > teach you how to write dangerous, hackable, insecure PHP code. > > Since I can't wave a magic wand and make all those tutorials fix themselves, > I have decided to instead provide you with a simple way to not let them do > this to you. > > For any tutorial which ever tells you to get data submitted by a user by > using the $_GET superglobal variable, you can perform a simple substitution: > > If they say: > $exampleVariable = $_GET['exampleVariable']; > > You should use: > $exampleVariable = $get('examplevariable); > > This is a small change that looks similar visually, so it makes it easy for > you to substitute. Instead of getting the data from an array, you are > getting the data using a function. > > Now in addition to the above, you will ALSO need to create this function. So > at the top of any PHP file where you will be using this function, simple add > the following 4 lines: > > > // FIXME: replace this with a more complete data sanitizing script > if isset($_GET) { unset($_GET); } // Force yourself not to use the global > variable > $get = function($varName) { > return filter_input(INPUT_GET, $varName, FILTER_SANITIZE_STRING); } > > ## What this does > // FIXME: replace this with a more complete data sanitizing script > This is a PHP comment, it is not executable code. This is simply a notation > to remind you in the future if you are using this file for a production > website, to go back and replace this code with more appropriate and secure > code. > > if isset($_GET) { unset($_GET); } // Force yourself not to use the global > variable > This line is to force you not use the $_GET array by deleting it. That way > if you cut and paste code from a tutorial, you won't accidentally introduce > security issues if you forget to make the neccessary changes. > > > $get = function($varName) { > return filter_input(INPUT_GET, $varName, FILTER_SANITIZE_STRING); } > > These 2 lines create a function to remove any HTML tags from a query string > variable and return it. The function is a special PHP construct called a > closure, which you can learn about later, which allows it to be refereneced > by a variable. The purpose of using this odd construct is that it allows you > to reuse these 2 lines of code multiple times in a PHP application without > having to worry about duplicate function names. > > The filter_input is a PHP function which provides a create deal more security > options then just the one I have used here. It is up to you to learn about > and use those options appropriately. What I have included here is the bare > minimum to provide some basic security AND to allow you to easily increase > your security incremementally. For example, instead of having to rewrite > every single PHP program you write in the beginning, you merely need to > search for all the FIXME strings and change filter_input(INPUT_GET, $varName, > FILTER_SANITIZE_STRING) to something more appropriate for your specific needs. > > > > _______________________________________________ > New York PHP User Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/show-participation >
_______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show-participation
