php-general Digest 19 Dec 2004 16:46:04 -0000 Issue 3179

Sun, 19 Dec 2004 08:47:02 -0800 

php-general Digest 19 Dec 2004 16:46:04 -0000 Issue 3179

Topics (messages 204672 through 204678):

Re: sanitizing/security
        204672 by: Jed Smith
        204673 by: John Holmes
        204678 by: Matthew Weier O'Phinney

Very Odd Session Array Problem
        204674 by: Aaron Axelsen

want a binary PHP for SCO OpenServer 5.0.5
        204675 by: shimuqiheb.abchina.com

Re: Storing binary data within a php script.
        204676 by: Jamie

Re: PHP 5 MySql 4.1 issue - can't connect to mysql.sock
        204677 by: user.domain.invalid

Administrivia:

To subscribe to the digest, e-mail:
        [EMAIL PROTECTED]

To unsubscribe from the digest, e-mail:
        [EMAIL PROTECTED]

To post to the list, e-mail:
        [EMAIL PROTECTED]


----------------------------------------------------------------------
--- Begin Message --- 
mysql_escape_string() is what you're looking for.

Jed

Sebastian wrote: 
just a question, what is the best way to sanitize your scripts when you're
using $_GET or $_REQUEST in a query?

eg, i usually just do:

if(is_numeric($_REQUEST['id']))
{
    mysql_query("SELECT id FROM table WHERE
id=".intval($_REQUEST['id'])."");
}

what about when the GET is text? just use htmlspecialchars?
just looking for some advice to help keep my apps secure.

cheers 


--
     _
    (_)___    Jed Smith, Code Monkey
    | / __|   [EMAIL PROTECTED] | [EMAIL PROTECTED]
    | \__ \   +1 541 606-4145
   _/ |___/   Signed mail preferred (PGP 0x703F9124)
  |__/        http://personal.jed.bz/keys/jedsmith.asc

--- End Message ---
--- Begin Message --- 
> From: "Sebastian" <[EMAIL PROTECTED]>

> just a question, what is the best way to sanitize your scripts when you're
> using $_GET or $_REQUEST in a query?
> 
> eg, i usually just do:
> 
> if(is_numeric($_REQUEST['id']))
> {
>     mysql_query("SELECT id FROM table WHERE
> id=".intval($_REQUEST['id'])."");
> }
> 
> what about when the GET is text? just use htmlspecialchars?
> just looking for some advice to help keep my apps secure.

Sanitize it for what? Insertion into the database? Displaying to a user? 
Putting into an email? file? xml? 

There's no one solution for sanitizing, it's all a matter of what you're doing 
with the data and what you expect the data to be. If you expect the data to be 
an integer, then make it an integer.

$input['value'] = (int)$_GET['value'];

Now you can range check it or whatever. is_numeric() works, but will accept 
floating point and scientific numbers, by the way. 

You need addslashes() (or mysql_real_escape_string(), if appropriate) for text 
data going into the database. 

htmlspecialchars() or htmlentities() is appropriate for text that'll be shown 
to users on a web site. 

Text going into the headers of an email should normally be filtered for 
newlines so malicious users cannot inject additional headers. 

Shall I go on?? ;) 

---John Holmes...

UCCASS - PHP Survey System
http://www.bigredspark.com/survey.html

--- End Message ---
--- Begin Message --- 
* Sebastian <[EMAIL PROTECTED]>:
> just a question, what is the best way to sanitize your scripts when you're
> using $_GET or $_REQUEST in a query?
>
> eg, i usually just do:
>
> if(is_numeric($_REQUEST['id']))
> {
>     mysql_query("SELECT id FROM table WHERE
> id=".intval($_REQUEST['id'])."");
> }
>
> what about when the GET is text? just use htmlspecialchars?
> just looking for some advice to help keep my apps secure.

The proper method for doing this is to 'whitelist' -- in other words,
assume data is tainted, and only allow it if it passes certain criteria.
For text, you'll typically want to define what is allowed, create a
regular expression, and pass the value through that expression (this is
often called 'filtering').

By the way, if you're needing an integer ID in the test above, testing
for is_numeric() will not be enough -- it returns floats as well as
integers. Try:

    if ($_REQUEST['id'] == strval(intval($_REQUEST['id'])))

In terms of sanitizing data for insertion into a database -- or even for
re-display to users -- you'll typically want to use htmlentities()
and/or strip_tags() first (after you've validated that data, that is).
Then, for insertion into the database, use your database driver's
quoting method. In MySQL, this is mysql_real_escape_string().
Alternatively, use a database abstraction layer such as ADODB or
PEAR::DB/MDB2 and use its prepare() functionality (that way you don't
need to know the db's specific functions).

-- 
Matthew Weier O'Phinney           | mailto:[EMAIL PROTECTED]
Webmaster and IT Specialist       | http://www.garden.org
National Gardening Association    | http://www.kidsgardening.com
802-863-5251 x156                 | http://nationalgardenmonth.org

--- End Message ---
--- Begin Message --- We have the chunk of code at the bottom of the page. It is behaving very strangly under php 4.3.9. Basically, if it is not coded exactly as listed below, it will not work right. The development server is running 5.0.3, and it works fine. However, the live server has 4.3.9. Is there something vastly different with arrays and session variables?

$key = $_REQUEST['quote'];
$quotes = $_SESSION['quotes'][$key];
//unset($_SESSION['quotes'][$key]);
$doc = $file_array[$key];
// handle a new quantity request
if(isset($_REQUEST['qty']) && preg_match('/^\d+$/',$_REQUEST['qty']))
{
if(!(is_array($quotes)))
$quotes = array();

//print $_REQUEST['qty'];
$found = false;
if(count($quotes) > 0)
{
foreach($quotes as $qty)
{
if($qty == $_REQUEST['qty'])
$found = true;
}
}
//print_r($quotes);
if(!$found) {
print "Before";
print_r($quotes);
array_push($quotes, $_REQUEST['qty']);
print "After";
print_r($quotes);
$quoteString = implode(",",$quotes);
$_SESSION['quotes'][$key] = explode(",",$quoteString);
} else {
$quoteString = implode(",",$quotes);
$_SESSION['quotes'][$key] = explode(",",$quoteString);
}
//print_r($quotes);
//sort($quotes);
//print_r($quotes);
//print_r($_SESSION['quotes'][$key]);
//$_SESSION['quotes'][$key] = array();
//$quotes = $_SESSION['quotes'][$key];
print "Session";
print_r($_SESSION['quotes'][$key]);

--
Aaron Axelsen
[EMAIL PROTECTED]

Great hosting, low prices. Modevia Web Services LLC -- http://www.modevia.com
--- End Message ---
--- Begin Message ---
I want to a binary php,used in SCO 5.0.5 ,Who can help me.

--- End Message ---
--- Begin Message --- 
Thanks Jed,

Im just trying your method.

If i have any problems ill reply to this post

Jamie

"Jed Smith" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> This is done in a few examples using base64_encode() and base64_decode(). 
> A particular OpenGL example I can recall encoded a small (~20k) DLL 
> directly into the PHP source that relied upon it, then unpacked it at 
> runtime.
>
> Ah, there it is:
>
>    ** snip **
>
>   if ( is_file( "SimpleWndProc.dll" ) ? filesize( "SimpleWndProc.dll" ) != 
> 2560 : 1 )
>   {
>      $dll = 
> "eNrtVU9IFGEUf7NpTbZue1hCYqlvQT3JslsG0clt/aho1XHNDOnguDutY+uMzh80"
>           . 
> "KDrYQTPJS1TUoWMEdSpYrEOEsQl66yD9gT1ILCHhIcqDML35Zla3IgO7mQ9+733v"
>   /* ... */
>           . 
> "dxBP8K4dRTzGcY6dBwcd8sBgVupS0lgfi9siXnQPAErZOyqrYXMXwO/8l7oiy5Fv"
>           . "kdWIJ8pHfdFAdH90uzf+D/QDFVAQCA==";
>
>     $dllout = fopen( "SimpleWndProc.dll", "wb" );
>
>     if ( !$dllout )
>       die( "Unable to extract SimpleWndProc.dll" );
>
>     fwrite( $dllout, gzuncompress( base64_decode( $dll ) ) );
>     fclose( $dllout );
>
>   ---------------
>
> That's from an iridium example. You just base64 encode the data and 
> enclose it in a string. Of course, that's simply one way of doing it.
>
> Jed
>
> Jamie wrote:
>> Hi all,
>>
>> Well so far my attempts to make this work have failed so i thought i 
>> would try here. What i have is an installation script that has to write a 
>> few files to the webserver. Im trying to cut down on the amount of files 
>> that need to be uploaded/modified etc. So what im trying to do is include 
>> all the data in one file. What the user then uploads and the physical 
>> visual basic program activates the script what in turn sets up the web 
>> server side. The problem comes when im trying to handle the ascii values 
>> for the binary data. "Warning: Unexpected character in input: '' 
>> (ASCII=3) state=2."
>>
>> I basicly have 3 questions.
>>
>> 1) Is it possible to store binary data in text form during transport and 
>> then using php's file writing functions to output the file?
>> 2) How would i do it as i guess i have to encode the ascii characters but 
>> how would i do that?
>> 3)Is there any better ways you suggest me to do this.
>>
>> Im trying to this for two reasons first is to make the application usable 
>> by anyone and the second reason is to try to push the boundarys of the 
>> langage.
>>
>> I would like anyones comments and views on this please. Any views might 
>> help me come to a result.
>>
>> Thanks
>>
>> Jamie
>
>
> -- 
>      _
>     (_)___    Jed Smith, Code Monkey
>     | / __|   [EMAIL PROTECTED] | [EMAIL PROTECTED]
>     | \__ \   +1 541 606-4145
>    _/ |___/   Signed mail preferred (PGP 0x703F9124)
>   |__/        http://personal.jed.bz/keys/jedsmith.asc

--- End Message ---
--- Begin Message --- 
Barley wrote:

If I run the script from a shell prompt as root, it outputs "Yes". If I run
as any other user, it outputs "No." It also gives this error:
Warning: mysqli_connect(): Can't connect to local MySQL server through
socket '/var/lib/mysql/mysql.sock' (13)


Check permissions on /var/lib/mysql. From the sockets manpage:

NOTES
In the Linux implementation, sockets which are visible in the filesystem honour the permissions of the directory they are in. Their owner, group and their permissions can be changed. Creation of a new socket will fail if the process does not have write and search (execute) permission on the directory the socket is created in. Connecting to the socket object requires read/write permission. This behavior differs from many BSD-derived systems which ignore permissions for Unix sockets. Portable programs should not rely on this feature for security.
--- End Message ---

Reply via email to