On Wed, May 18, 2011 at 9:18 PM, Jason Pruim <lists@xxxxxxxxxxxxxxxxxxxx>wrote: > Hey Everyone, > > Probably a simple question but I wanted to make sure I was right before I > got to far ahead of my self.... > > I have a form that I am working on and this form will be emailed to the > recipient for processing (Not stored in a database). > > When I store in a database, I simply run all the data through > mysql_real_escape_string() and it's all good... Without the database, is it > just as easy as addslashes($var)? or is there more that needs to be done? > > In the end, the info will be echoed back out to the user to be viewed but > not edited and emailed to someone to add the registration collect money, etc > etc. > > Am I on the right track or do I need to rethink my whole process? :) > Security depends on keeping a keen eye on context. You want to always be sure that your PHP scripts appropriately validate input according to the context (what cultures or languages are you expecting, what character encodings, etc.), and you want to escape output according to context. There are of course many other security issues developers have to watch for, but these two areas are the source of many of the security issues in web apps, and it sounds like you're looking for feedback specific to these two concerns. In this case it sounds like you'll be outputting user data using HTML, so the data should be properly escaped for HTML (also focused on context, as the output can be within a tag, an attribute of a tag, or a url of a tag, and each situation requires specific escaping.) Additionally, it sounds like you'll be using the user data in an email, so you'll have to properly escape the output to avoid email injection. To deal with the input validation and HTML escaping, I use my framework, Nephtali, but many other frameworks help you achieve this (including facebooks' XHP, which is quite clever according to context: http://www.facebook.com/notes/facebook-engineering/xhp-a-new-way-to-write-php/294003943919), and the combination of PHP filters and functions like htmlspecialchars(), urlencode, etc., greatly facilitate rolling your own library if you wish. To prevent email injection, I use the Zend Framework Email classes, as they're very powerful, easy to use, and protect against injection. I'm a security expert by any means, as I've made mistakes in the past that have provided education the hard way! In fact, I'll confess that there was a point a few years ago that I'd sent Rasmus Lerdorf a link to promote my framework (back when it was OOP-based rather than the functionally inspired, which was a long time ago), and I thought I'd make a few quick edits just to make it easy for him to view the source and see how I was handling what I thought was a cool little parallel processing idea (it really wasn't that cool, I was young and dumb, and the implementation was slow.) In my haste to add the code, I actually worked outside of the framework's natural encoding capabilities, and I forgot to manually handle the validation and encoding (the feature was new enough that I hadn't yet integrated into the natural flow of processing.) Alas, because I noted the security focus of the framework, Rasmus ran some security tests on my site (which performed slowly because of my stupid parallel idea) and that code that I forgot to manually handle lead to the reply below: Given this claim and the fact that you are eating your own dogfood, as you say, then it is probably a bad sign that you have an XSS on framework site. > The site is so slow it is hard to poke it for others, but there is an obvious one in the <!--current_url=--> html comment. You are not escaping the url correctly there. It's been said before, but let me say it with meaning: "NOW THAT'S EMBARRASSING!" I tried to make a quick little edit, and even though I'd built a framework that focused on proper validation and escaping, I still forgot to add the validation and escaping code for one little snippet I told myself I'd get back to later to manually handle. *Moral:* Don't rush. Carefully deliberate on the context, both in terms of the expectations for input AND the nature of output. If you do this, you eventually will get the level of security you're after (that, and fuzz the heck out of something before you send it to Rasmus :) Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com
