Basically, use one of the escape functions :)
For instance, looking at this piece of code:
$result = mysql_query("SELECT * FROM table WHERE username='$username' AND
password='$password'");
Now, you have the variables $username and $password to worry about. Now we
ask ourselves, what characters are valid entrys here?
If we know that usernames and passwords can't contain spaces, we'll strip
out whitespace. If A-Z, 0-9, and underscores are the only legal characters,
we'll strip out anything that isn't a "word character".
Using this kind of "what's legal here?" questioning is typically the best
way to handle things. It ensures that no illegal entries can be in your code
so that no errors are spit out such as "this is not a legal resource
identifier". It also ensures no 'massaged' data can cause an unauthorized
user to see something they shouldn't see.
Then it only comes down to ensuring that legal characters can't be used in
some fashion which is not intended. I tend to limit myself to using only
word characters and whitespace, which seems safe in most cases. If you need
to use some other data, always use one of the PHP escape functions.
The final method to use is to ask yourself, "what variables can be passed
via session/cookie/put/get?". All other variables should be explicitly set
to _something_ early in the code before they would normally be used, and in
a way that ensures they are being set to something no matter what flow the
program takes (in other words, don't set them inside a conditional loop).
This is the cause for the majority of security holes. Often a program
evaluates a variable which is conditionally set inside the code without
ensuring that it's "clean". For example:
if ($submit)
{
$sql = "SELECT * FROM table";
}
// bunch of code here
$result = mysql_query($sql);
If the user can massage the transaction so that $submit will evaluate to
false (such as appending "?submit=" onto the end of you're page's URL), they
are now able to query your database with absolutely any query they like.
SELECT, UPDATE, or DROP, it's their choice. To be safe you need only insert
one line before the loop:
$sql = "";
So when using a variable which shouldn't be submitted from an outside
source, be sure that it's explicitly set to something before any evaluation
of that variable is done.
And that's about all I can think of. Still, it's best just to leave the
function on as an extra bit of security. You can never be too safe.
Plutarck
""Boget, Chris"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Anyway, it's not a big thing if you're _really_ stringent about how you
> > check every single variable which is used in a database query,
> > system/passthru/exec, or eval command, and your checking methods are
> > flawless, but otherwise it's just best to go to the trouble of hacking
> > around the input explicitly.
>
> What would you do to go about doing this? How can you be
> _really stringent_ in checking your variables? Check that they
> have a value?
>
> Chris
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
