got it!! if i could find docs/methods/etc.. i'd gladly share... two questions: 1) css scripting. how can it be prevented?? what are some of the methods that you guys use? 2) what are some of the actual code methods used in real sites to deal with URL/Query (GET/POST) parsing? what do you guys say about putting together a list of what should be done for the different aspects of a web site/app...?? as an example, i'd really like to know what should be done when you have a POST/GET item. should it always be checked? how should it be checked? what's the best method? etc.... i would hope that it wouldn't be hard for gurus/experts to agree on these kinds of issues... -bruce -----Original Message----- From: tg-php@xxxxxxxxxxxxxxxxxxxxxx [mailto:tg-php@xxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 21, 2005 8:29 AM To: bedouglas@xxxxxxxxxxxxx Subject: RE: security/sql issues with php no proble, Bruce. I know you're looking for something more, but if you ended up building your own, thought I'd toss my 2cents worth of code into the mix. hah And yeah, I'm suprised, but not suprised, at the lack of a decent solution. I have some friends who work in high computer security and from what I've seen of that end of the business, it seems that people are more interested in selling GIANT systems with GIANT (frequently hands-on by contracted techs) maintenance aggreements or companies want to do the consulting thing so they can bill hourly or something. The problem with security products is that they need fairly constant maintenance. Nobody wants to make a good solid package/etc that covers 99% of the issues and then have someone bitch at them when it doesn't cover something brand new, or when some advanced technique is used..etc. To me it sees a combination of lack of desire to maintain something robust AND free as well as the greed factor of being able to milk support contracts out of people for doing hands-on security work. I'm still suprised at the lack of good packages that would cover the mid-level security needs. At least when I was looking, I didn't find anything that I felt was stable enough to use. I prefer simple and tight to massive and possibly flawed. I'll keep building mine as I learn new things and develop new requirements, but for now it does exactly what it needs to do. Best of luck! And if you find something noteworthy, please post it to the list. Thanks! -TG = = = Original message = = = trevor... appreciate the reply!! we've seen alot of homegrown solutions!! but we're hoping that we can find something that's robust/tested/used in the industry/etc... the issue of security is widespread, but you'd be surprised (maybe not) at how poorly it appears to be implemented in various apps!!! -bruce -----Original Message----- From: tg-php@xxxxxxxxxxxxxxxxxxxxxx [mailto:tg-php@xxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 21, 2005 7:54 AM To: bedouglas@xxxxxxxxxxxxx Subject: Re: security/sql issues with php I know you're looking for something bigger and more complete, but in the meantime maybe this will give you something of a foundation to build on to make your own sanitizer. I wrote this function that I include() into my code to try to make data somewhat safer before using it in a SQL statement. The reason I used so many 'case' statements is so I don't have to change my main PHP code when I figure out a better way (or just new criteria) for fixing/cleansing one type of data. For instance, you'll see "money" and "percent" and "float" do the same cleaning right now. Maybe later I'll decide I want to handle money different, all I need to do is change this function and not all my code. You get the idea. This code is specific to MySQL but you can substitute any DB's "escape" function at the end to customize it. Anyway, something to play with at least, since I didn't find any good classes, packages, etc when I was looking either. Let me know if you have any questions: -TG <?php ~/** ~*~DBSanitizeData() prepares data for inserting/updating into or selecting from ~* MySQL by making sure that string data is properly escaped so as not to allow ~* 'SQL injection' type security issues from happening. No direct $_POST or $_GET data ~* should ever be used in a SQL string. ~* ~* Returns sanitized copy of data sent to it. ~* ~* Example: $result = mysql_query('INSERT INTO TableName (SomeColumn) VALUES (' . DBSanitizeData($_POST['somevar'], datatype) . ')'); ~* ~* <pre> ~* Modification Log: ~* -------------------------------------------------- ~* Created: ~~Trevor Gryffyn - 03/28/2005 ~* Modified: Trevor Gryffyn - 08/25/2005 ~* Updated comments, changed mysql_escape_string() to mysql_real_escape_string() ~* ~* </pre> ~* ~* @author Trevor Gryffyn <tgryffyn@xxxxxxxxxxx> ~* @category Database Functions ~* ~*/ function DBSanitizeData($dbdata, $datatype = "alpha") switch (strtolower($datatype)) case "binary": case "truefalse": $trues = array("YES", "Y", "1", "ON", "TRUE", "T"); $falses = array("NO", "N", "0", "OFF", "FALSE", "F"); if (in_array(trim(strtoupper($dbdata)), $trues)) $dbdata = "Y"; else $dbdata = "N"; break; case "phone": case "numeric": case "number": case "zip": case "zipcode": case "ssn": $dbdata = preg_replace ('/[^\d]+/s', '', $dbdata); break; case "float": case "money": case "percent": // TODO: Should this be handled with floatval() or something else? // Yes.. it probably should. Maybe this is better. if (strstr($dbdata, ".") AND trim($dbdata) <> "") #$dbdata = (preg_replace ('/[^\d]+/s', '', $dbdata) / 100) . ".00"; $dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata) / 100); else #$dbdata = preg_replace ('/[^\d]+/s', '', $dbdata) . ".00"; $dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata)); break; case "name": case "address": case "city": $dbdata = ucwords($dbdata); break; case "state": $dbdata = strtoupper($dbdata); break; case "date": $dbdata = date("Y-m-d", strtotime($dbdata)); if ($dbdata == "1969-12-31") $dbdata = ""; break; case "alpha": case "url": default: // Nothing special, just jump down to the trim/escape break; return trim(mysql_real_escape_string($dbdata)); ?> = = = Original message = = = hi.. i've been searching/researching the areas of security regarding url input, form input, as well as database input (mysql). while there are plenty of articles that touch on the topic, i'm looking for a given site/package/lib (open source) that is pretty much the standard that i could use for my website/app... basically, i don't want to recreate the wheel, if there is already a serious/good solution to this area. given the importance of this area, i'm assuming that there is a lib/package that already exists to handle these issues. i've looked through google, as well as various open source web apps to see how some of this is handled, and it appears the level of sophistication for handling this is all over the place!! i want to stress, i'm looking for the package/lib that's strong enough/valid enough to be used in a serious commercial app.. a lot of what i've seen/suggestions on various sites arent' complete/strong.. (this stuff has got to be around/available, i mean google/ebay/1000's of sites are up/running without having issues!!!) URL Issues/Thoughts... -Should Handle basic regex filtering of POST/GET/REQUEST Querystring data -Filtering of basic mysql commands/functions/characters (Insert/Drop/etc...) Query Array Thoughts/Issues -Should filter the arrays (GET/POST/REQUEST) -Filtering of basic mysql commands/functions/characters (Insert/Drop/etc...) -Check for datatype -Set Datatype -Log all errors/issues Mysql DB Issues -Parsing/inspection of all data prior to insertion in sql_query_string -Use of 'datatype' arg in the query to insure that the correct datatype val is used in the sql_string -Regex comparison of the vals prior to use in the sql_string -Proper usage of slashes/quotations around variables/sql_strings -Logging of all db interactions any other things that should be handled (yeah.. i know, i haven't even gotten into the issue of having separate db/app servers, and security of the overall hardware/app environment...) -thanks -bruce bedouglas@xxxxxxxxxxxxx -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
