Re: Explanation in Shiflett's PHP Security Briefing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* "afan@xxxxxxxx" <afan@xxxxxxxx> :
> Thanks Richard.
> I got the point Chris was making: never believe _GET/_POST and use 
> ctype_alnum(), mysql_real_escape_string(), htmlentities() - and I 
> already started :) (Thanks Chris that was great for us beginners, 
> already posted on  few Bosnian php forums :))
>
> My question though was is the difference in code I mentioned just a 
> "habit of writing code" or there is some more? Some security issues too?
>
> Let's try this way: we have a case of a form for storing registrant info 
> in DB. After submitting we have
> $_POST['name']
> $_POST['address']
> $_POST['city']
> $_POST['state']
> $_POST['zip']
> $_POST['email']
> $_POST['phone']
>
> To store submitted info to DB I would (now) use following code:
>
> $name = mysql_real_escape_string($_POST['name']);
> $address = mysql_real_escape_string($_POST['address']);
> $city = mysql_real_escape_string($_POST['city']);
> $state = mysql_real_escape_string($_POST['state']);
> $zip = mysql_real_escape_string($_POST['zip']);
> $email = mysql_real_escape_string($_POST['email']);
> $phone = mysql_real_escape_string($_POST['phone']);
>
> mysql_query("insert into info values (NULL, '$name', '$address', 
> '$city', '$state', '$email', '$phone')");
>
> doing the same using arrays:
>
> $submitted = array();
> $submitted['name'] = mysql_real_escape_string($_POST['name']);
> $submitted['address'] = mysql_real_escape_string($_POST['address']);
> $submitted['city'] = mysql_real_escape_string($_POST['city']);
> $submitted['state'] = mysql_real_escape_string($_POST['state']);
> $submitted['zip'] = mysql_real_escape_string($_POST['zip']);
> $submitted['email'] = mysql_real_escape_string($_POST['email']);
> $submitted['phone'] = mysql_real_escape_string($_POST['phone']);
>
> mysql_query("insert into info values (NULL, $submitted['name']', 
> '$submitted['address']', '$submitted['city']', '$submitted['state']', 
> '$submitted['zip']', '$submitted['email']', '$submitted['phone']')");
>
>
> Is this REALLY the same or there is a difference in security or 
> something else?

Not the same, not necessarily secure, and it could cause issues for your
database and/or reporting.

What Chris Shifflet is getting at in his security columns is that simply
escaping your data before throwing it in the DB is not a good practice.
This is true from both a security standpoint as well as a database
management standpoint.

While the above would prevent most SQL injections, it could still wreak
havoc with your database.  For instance, what if your 'phone' or 'zip'
fields in your database are integer fields, and text gets passed from
the form? (answer: a failed DB call) Or you get a string of random
characters for the email? do you really want that in your DB?

It's easy to get lazy about this stuff, especially when it's just a
hobby or for something non-critical, but if you get into bad habits,
what happens when you're doing this for a business critical application?
(I know this one -- my DBA starts beating me over the head with a bat
for f***ing up his data, which will now take him several days to fix; I
get fired from my job because a script I wrote allowed a hacker to
delete all our customer data; etc.)

Regarding your original question, the reason Chris S. keeps things in an
array is so that all CLEAN (i.e. valid and/or secure) data is marked as
such in a single place. Additionally, it allows you to do things like
validating your $_POST array by looping over it:

$clean = array();
foreach ($_POST as $key => $val) {
    $ok = false;
    switch ($key) {
        case 'name':
            if (ctype_alnum($val)) {
                $ok = true;
            }
            break;
        case 'address':
            if (preg_match('/^[ a-z0-9.\'\"#-]+$/', $val)) {
                $ok = true;
            }
            break;
        // etc.
    }
    if ($ok) {
        $clean[$key] = $val;
    }
}

> Richard Davey wrote:
> > Monday, June 6, 2005, 6:39:09 PM, you wrote:
> > aan> I was reading PHP Security Briefing from brainbulb.com (Chris Shiflett)
> > aan> and didn't get one thing:
> > aan> in example:
> >
> > aan> <?php
> > aan>     $clean = array();
> > aan>     if (ctype_alnum($_POST['username']))
> > aan>     {
> > aan>         $clean['username'] = $_POST['username'];
> > aan>     }
> > ?> >
> >
> > aan> why to set the $clean as array? what's wrong if I use:
> >
> > aan> <?php
> > aan>     if (ctype_alnum($_POST['username']))
> > aan>     {
> > aan>         $clean = $_POST['username'];
> > aan>     }
> > ?> >
> >
> > In your example $clean will only ever hold one value. In the original
> > the clean array can be used to hold all clean GET/POST values. Not
> > many forms only have one value. The most important thing to remember
> > though is that your array isn't really "clean", it's just "valid". I
> > believe the original point Chris was making was that you should never
> > trust that $_POST will only contain the values you expect it to - they
> > should be moved out into a clean array first for further inspection
> > and filtering, if anything else lingers in the $_POST array, it's most
> > likely been tainted.

-- 
Matthew Weier O'Phinney           | WEBSITES:
Webmaster and IT Specialist       | http://www.garden.org
National Gardening Association    | http://www.kidsgardening.com
802-863-5251 x156                 | http://nationalgardenmonth.org
mailto:matthew@xxxxxxxxxx         | http://vermontbotanical.org

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux