Thanks Richard.
I got the point Chris was making: never believe _GET/_POST and use
ctype_alnum(), mysql_real_escape_string(), htmlentities() - and I
already started :) (Thanks Chris that was great for us beginners,
already posted on few Bosnian php forums :))
My question though was is the difference in code I mentioned just a
"habit of writing code" or there is some more? Some security issues too?
Let's try this way: we have a case of a form for storing registrant info
in DB. After submitting we have
$_POST['name']
$_POST['address']
$_POST['city']
$_POST['state']
$_POST['zip']
$_POST['email']
$_POST['phone']
To store submitted info to DB I would (now) use following code:
$name = mysql_real_escape_string($_POST['name']);
$address = mysql_real_escape_string($_POST['address']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$zip = mysql_real_escape_string($_POST['zip']);
$email = mysql_real_escape_string($_POST['email']);
$phone = mysql_real_escape_string($_POST['phone']);
mysql_query("insert into info values (NULL, '$name', '$address',
'$city', '$state', '$email', '$phone')");
doing the same using arrays:
$submitted = array();
$submitted['name'] = mysql_real_escape_string($_POST['name']);
$submitted['address'] = mysql_real_escape_string($_POST['address']);
$submitted['city'] = mysql_real_escape_string($_POST['city']);
$submitted['state'] = mysql_real_escape_string($_POST['state']);
$submitted['zip'] = mysql_real_escape_string($_POST['zip']);
$submitted['email'] = mysql_real_escape_string($_POST['email']);
$submitted['phone'] = mysql_real_escape_string($_POST['phone']);
mysql_query("insert into info values (NULL, $submitted['name']',
'$submitted['address']', '$submitted['city']', '$submitted['state']',
'$submitted['zip']', '$submitted['email']', '$submitted['phone']')");
Is this REALLY the same or there is a difference in security or
something else?
Thanks :)
-afan
Richard Davey wrote:
Hello afan,
Monday, June 6, 2005, 6:39:09 PM, you wrote:
aan> I was reading PHP Security Briefing from brainbulb.com (Chris Shiflett)
aan> and didn't get one thing:
aan> in example:
aan> <?php
aan> $clean = array();
aan> if (ctype_alnum($_POST['username']))
aan> {
aan> $clean['username'] = $_POST['username'];
aan> }
?>>
aan> why to set the $clean as array? what's wrong if I use:
aan> <?php
aan> if (ctype_alnum($_POST['username']))
aan> {
aan> $clean = $_POST['username'];
aan> }
?>>
In your example $clean will only ever hold one value. In the original
the clean array can be used to hold all clean GET/POST values. Not
many forms only have one value. The most important thing to remember
though is that your array isn't really "clean", it's just "valid". I
believe the original point Chris was making was that you should never
trust that $_POST will only contain the values you expect it to - they
should be moved out into a clean array first for further inspection
and filtering, if anything else lingers in the $_POST array, it's most
likely been tainted.
Best regards,
Richard Davey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
