ID: 46520
Comment by: auday dot talib at gmail dot com
Reported By: auday dot talib at gmail dot com
Status: Open
Bug Type: Feature/Change Request
Operating System: linux
PHP Version: 5.2.6
New Comment:
For the sql injection in the beginning of the above message , i want to
comment about if someone entered
1oror1 ,
php should always check the statmens in the original file , then the
values entered will be not processed or compiled as it is not the actual
statement
Previous Comments:
------------------------------------------------------------------------
[2008-11-07 19:17:55] auday dot talib at gmail dot com
Description:
------------
Hello
this is auday , i am learning php and reading about security and
thought about the sql injections
we use select from tablename where something = something1 AND
somethingelse = something2
i thought about preventing the sql attackes by these methods
1- use of ANDAND OROR , which mean php will ignore any other or or and
after this
example select from userstable where username = $_POST['username']
ANDAND Password = $_post['passwor']
so
if password entered with this
OR 1=1 , which is very famous , php will ignore it
2- PHP ignores any logical statments such as OR/AND in any value before
ANDAND or OROR ,
if in the example above someone entered the username with ANDAND or
OROR to make php ignore the other conditions , php should deal with the
value as a text not a logical part
in other word , values used for the sql queries are not processed as a
code by disallowing ANDAND or OROR to be in variables
just like some conditions we have for variables, one more to add is no
OROR ANDAND and any other related things
3- XSS , i know a little bit about php and this one , but i thought
about this method for preventing it
when someone try to pass html code or javascript or even php , php
engine should do these things
A) checking the restriction in php.ini, new lines for example like
therulesforGET = nocode
this is what will turn spaces to , and these < (smaller than)
, &rt; (greater than)
without the need for regular expressions and other methods ... server
admins can set for example an inifile with
HTMLinPOST['username'] = no
HTMLinPOST['message'] = yes(p,font,etc) // allowed tagsfor this one
HTMLattributesinPOST['message'] = no // or set it to yes but allow
style , class , color , background and other not harmful things
WHAT i am trying to say is to make php for programmers easier ... they
set the limits their application should have , then php does the regular
expressions part and other stuff
B) setting the formats the same way about
lets say php will take $n as number and $c as character and dot as
space
in php.ini
formatforPOST['postalcode'] = $c1$n1$c2.$n2$c3$n3 // canada postal code
lik t5t 1e1 will be the only accepted for this
same for others , $text-ini ( any text ) , $numric-ini ( any number ) i
used ini to make it different a bit
formatforGET['userid'] = $numric-ini // or just numric
so again .. i think php should have these stored in a file that the
engine read and does all the other work
i heared regular expressions is not php, other language called perl ,
so we need something like the above as php regular expressions
simply defined , text , nohtml , numric and other things
so i dont have to check is it numric everytime or call function /
classes , i set one line and put that this data coming from post is
numric only ...
ERROR MESSAGES
IF not looking the same as what is specified in the ini file , if it is
different , how the programmer should act , php will return error
message stored on the server called POST['userid']error
if it exist i display it ... or deal with it
php-builtin-function-to-check-errors(POST['userid']error) // check if
this got an error ... return true or false
we assume this is new function php introduce
if the POST['userid'] is set in the INI file to be numric only bu it is
entered not numric
php return this error
POST['userid']error = 'not WHATINTHEINI' / this can be !numric
so the programer didnt write and chcecked the varaible , but set it in
ini file , and now got the error code from the function above
if(POST['userid']error) {
dispaly the error by echo ,
echo $_POST['userid']error;
}
i hope this is the write place where i can submit ideas and i hope you
read my message and try to see if there is soemthing useful ,
i hope i didnt waste your time
thanks
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=46520&edit=1
