On Mon, 2010-06-07 at 10:48 -0700, Michael Shadle wrote: > Oh yeah. I do more than just intval() I make sure they didn't feed me > anything BUT numeric text first. I do sanity check before type > forcing :) > > I use garbage in garbage out. So I take what is given to me and yes I > escape if before the db of course as well, and then encode on output. > > On Jun 7, 2010, at 10:45 AM, Ashley Sheridan > <a...@ashleysheridan.co.uk> wrote: > > > On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote: > >> > >> It's not that bad. > >> > >> Use filter functions and sanity checks for input. > >> > >> Use htmlspecialchars() basically on output. > >> > >> That should take care of basically everything. > >> > >> On Jun 7, 2010, at 6:16 AM, Igor Escobar <titiolin...@gmail.com> > >> wrote: > >> > >> > This was my fear. > >> > > >> > Regards, > >> > Igor Escobar > >> > Systems Analyst & Interface Designer > >> > > >> > + http://blog.igorescobar.com > >> > + http://www.igorescobar.com > >> > + @igorescobar (twitter) > >> > > >> > > >> > > >> > > >> > > >> > On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind > >> <peter.e.l...@gmail.com> > >> > wrote: > >> > > >> >> On 7 June 2010 14:54, Igor Escobar <titiolin...@gmail.com> wrote: > >> >>> Hi Folks! > >> >>> > >> >>> The portal for which I work is suffering constant attacks that I > >> >>> feel > >> >> that > >> >>> is PHP Injection. Somehow the hacker is getting to change the > >> >>> cache files > >> >>> that our system generates. Concatenating the HTML file with > >> >>> another that > >> >>> have an iframe to a malicious JAR file. Do you have any > >> >>> suggestions to > >> >>> prevent this action? The hacker has no access to our file system, > >> >>> he is > >> >>> imputing the code through some security hole. The problem is that > >> >>> the > >> >> portal > >> >>> is very big and has lots and lots partners hosted on our > >> estructure > >> >>> structure. We are failing to identify the focus of this attacks. > >> >>> > >> >>> Any ideas? > >> >>> > >> >> > >> >> Check all user input + upload: make sure that whatever comes > >> from the > >> >> user is validated. Then check all output: make sure that everythin > >> >> output is escaped properly. Yes, it's an enormous task, but > >> there's > >> >> no > >> >> way around it. > >> >> > >> >> Regards > >> >> Peter > >> >> > >> >> -- > >> >> <hype> > >> >> WWW: http://plphp.dk / http://plind.dk > >> >> LinkedIn: http://www.linkedin.com/in/plind > >> >> BeWelcome/Couchsurfing: Fake51 > >> >> Twitter: http://twitter.com/kafe15 > >> >> </hype> > >> >> > >> > > > > htmlspecialchars() is really only good for user input that you are > > outputting to the browser. For inserting data into a database, use > > mysql_real_escape_string(). I find it's good to think carefully > > about what sort of data I expect and sanitise it accordingly. If I > > want a numerical value, I use intval($_GET['var']) or floatval(). > > For things like small text box elements, regex's work well depending > > on the data. For data from select lists of checkboxes, make sure the > > value given is within a list of pre-determined values you have. > > Basically, nothing from the user should be trusted at all, ever. > > > > As soon as you let go of that trust in the good honesty of people > > you'll do fine ;) > > > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > >
Why waste time validating an integer value when intval() will do that for you? Thanks, Ash http://www.ashleysheridan.co.uk
