Re: Security Issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think we're getting off topic here folks...


Regards,
Igor Escobar
Systems Analyst & Interface Designer

+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)





On Mon, Jun 7, 2010 at 2:51 PM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx>wrote:

>  On Mon, 2010-06-07 at 10:48 -0700, Michael Shadle wrote:
>
> Oh yeah. I do more than just intval() I make sure they didn't feed me
> anything BUT numeric text first. I do sanity check before type
> forcing :)
>
> I use garbage in garbage out. So I take what is given to me and yes I
> escape if before the db of course as well, and then encode on output.
>
> On Jun 7, 2010, at 10:45 AM, Ashley Sheridan
> <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> > On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote:
> >>
> >> It's not that bad.
> >>
> >> Use filter functions and sanity checks for input.
> >>
> >> Use htmlspecialchars() basically on output.
> >>
> >> That should take care of basically everything.
> >>
> >> On Jun 7, 2010, at 6:16 AM, Igor Escobar <titiolinkin@xxxxxxxxx>
> >> wrote:
> >>
> >> > This was my fear.
> >> >
> >> > Regards,
> >> > Igor Escobar
> >> > Systems Analyst & Interface Designer
> >> >
> >> > + http://blog.igorescobar.com
> >> > + http://www.igorescobar.com
> >> > + @igorescobar (twitter)
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind
> >> <peter.e.lind@xxxxxxxxx>
> >> > wrote:
> >> >
> >> >> On 7 June 2010 14:54, Igor Escobar <titiolinkin@xxxxxxxxx> wrote:
> >> >>> Hi Folks!
> >> >>>
> >> >>> The portal for which I work is suffering constant attacks that I
> >> >>> feel
> >> >> that
> >> >>> is PHP Injection. Somehow the hacker is getting to change the
> >> >>> cache files
> >> >>> that our system generates. Concatenating the HTML file with
> >> >>> another that
> >> >>> have an iframe to a malicious JAR file. Do you have any
> >> >>> suggestions to
> >> >>> prevent this action? The hacker has no access to our file system,
> >> >>> he is
> >> >>> imputing the code through some security hole. The problem is that
> >> >>> the
> >> >> portal
> >> >>> is very big and has lots and lots partners hosted on our
> >> estructure
> >> >>> structure. We are failing to identify the focus of this attacks.
> >> >>>
> >> >>> Any ideas?
> >> >>>
> >> >>
> >> >> Check all user input + upload: make sure that whatever comes
> >> from the
> >> >> user is validated. Then check all output: make sure that everythin
> >> >> output is escaped properly. Yes, it's an enormous task, but
> >> there's
> >> >> no
> >> >> way around it.
> >> >>
> >> >> Regards
> >> >> Peter
> >> >>
> >> >> --
> >> >> <hype>
> >> >> WWW: http://plphp.dk / http://plind.dk
> >> >> LinkedIn: http://www.linkedin.com/in/plind
> >> >> BeWelcome/Couchsurfing: Fake51
> >> >> Twitter: http://twitter.com/kafe15
> >> >> </hype>
> >> >>
> >>
> >
> > htmlspecialchars() is really only good for user input that you are
> > outputting to the browser. For inserting data into a database, use
> > mysql_real_escape_string(). I find it's good to think carefully
> > about what sort of data I expect and sanitise it accordingly. If I
> > want a numerical value, I use intval($_GET['var']) or floatval().
> > For things like small text box elements, regex's work well depending
> > on the data. For data from select lists of checkboxes, make sure the
> > value given is within a list of pre-determined values you have.
> > Basically, nothing from the user should be trusted at all, ever.
> >
> > As soon as you let go of that trust in the good honesty of people
> > you'll do fine ;)
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >
>
>
> Why waste time validating an integer value when intval() will do that for
> you?
>
>
>   Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux