Oh yeah. I do more than just intval() I make sure they didn't feed me
anything BUT numeric text first. I do sanity check before type
forcing :)
I use garbage in garbage out. So I take what is given to me and yes I
escape if before the db of course as well, and then encode on output.
On Jun 7, 2010, at 10:45 AM, Ashley Sheridan
<ash@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote:
>>
>> It's not that bad.
>>
>> Use filter functions and sanity checks for input.
>>
>> Use htmlspecialchars() basically on output.
>>
>> That should take care of basically everything.
>>
>> On Jun 7, 2010, at 6:16 AM, Igor Escobar <titiolinkin@xxxxxxxxx>
>> wrote:
>>
>> > This was my fear.
>> >
>> > Regards,
>> > Igor Escobar
>> > Systems Analyst & Interface Designer
>> >
>> > + http://blog.igorescobar.com
>> > + http://www.igorescobar.com
>> > + @igorescobar (twitter)
>> >
>> >
>> >
>> >
>> >
>> > On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind
>> <peter.e.lind@xxxxxxxxx>
>> > wrote:
>> >
>> >> On 7 June 2010 14:54, Igor Escobar <titiolinkin@xxxxxxxxx>
wrote:
>> >>> Hi Folks!
>> >>>
>> >>> The portal for which I work is suffering constant attacks
that I
>> >>> feel
>> >> that
>> >>> is PHP Injection. Somehow the hacker is getting to change the
>> >>> cache files
>> >>> that our system generates. Concatenating the HTML file with
>> >>> another that
>> >>> have an iframe to a malicious JAR file. Do you have any
>> >>> suggestions to
>> >>> prevent this action? The hacker has no access to our file
system,
>> >>> he is
>> >>> imputing the code through some security hole. The problem is
that
>> >>> the
>> >> portal
>> >>> is very big and has lots and lots partners hosted on our
>> estructure
>> >>> structure. We are failing to identify the focus of this
attacks.
>> >>>
>> >>> Any ideas?
>> >>>
>> >>
>> >> Check all user input + upload: make sure that whatever comes
>> from the
>> >> user is validated. Then check all output: make sure that
everythin
>> >> output is escaped properly. Yes, it's an enormous task, but
>> there's
>> >> no
>> >> way around it.
>> >>
>> >> Regards
>> >> Peter
>> >>
>> >> --
>> >> <hype>
>> >> WWW: http://plphp.dk / http://plind.dk
>> >> LinkedIn: http://www.linkedin.com/in/plind
>> >> BeWelcome/Couchsurfing: Fake51
>> >> Twitter: http://twitter.com/kafe15
>> >> </hype>
>> >>
>>
>
> htmlspecialchars() is really only good for user input that you are
> outputting to the browser. For inserting data into a database, use
> mysql_real_escape_string(). I find it's good to think carefully
> about what sort of data I expect and sanitise it accordingly. If I
> want a numerical value, I use intval($_GET['var']) or floatval().
> For things like small text box elements, regex's work well
depending
> on the data. For data from select lists of checkboxes, make sure
the
> value given is within a list of pre-determined values you have.
> Basically, nothing from the user should be trusted at all, ever.
>
> As soon as you let go of that trust in the good honesty of people
> you'll do fine ;)
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
