subject:"\[fw\-general\] Security \- Preventing SQL Injections, XSS etc"

Re: [fw-general] Security - Preventing SQL Injections, XSS etc

2009-06-07 Thread iceangel89


oh Matthew Weier O'Phinney mentioned that ... i meant when escaping for SQL
this time. 


vince. wrote:
 
 You could use
 $this-view-escape
 

-- 
View this message in context: 
http://www.nabble.com/Security---Preventing-SQL-Injections%2C-XSS-etc-tp23900449p23909053.html
Sent from the Zend Framework mailing list archive at Nabble.com.

Re: [fw-general] Security - Preventing SQL Injections, XSS etc

2009-06-07 Thread till

On Sun, Jun 7, 2009 at 11:12 AM, iceangel89comet2...@gmail.com wrote:

 oh Matthew Weier O'Phinney mentioned that ... i meant when escaping for SQL
 this time.

Read this first:
http://framework.zend.com/manual/en/zend.db.html#zend.db.adapter.quoting

Then take a look at this example:
http://framework.zend.com/manual/en/zend.db.html#zend.db.adapter.select.fetchassoc


Till

Re: [fw-general] Security - Preventing SQL Injections, XSS etc

2009-06-07 Thread Matthew Weier O'Phinney

-- iceangel89 comet2...@gmail.com wrote
(on Saturday, 06 June 2009, 08:51 PM -0700):
 Matthew Weier O'Phinney-3 wrote:
  (In 2.0, we will make escaping the default within Zend_View, and require
  you to explicitly ask for raw data if you don't want escaping.)
 
 that will be much better! 
 
 hmm sometimes if i have a complex query with joins to alot of tables
 ... and i dont have time to find out whats the ZF way to do things ...
 can i use 
 
 $val = escapeSql($this-getRequest()-getParam('username')); // is there a
 escape SQL function? 
 $db-fetchAll(SELECT * FROM Users WHERE username = ' . $val . ')

Each adapter has a quoteInto() method:

$sql = $db-quoteInto(
'SELECT * FROM Users WHERE username = ?', 
$this-getRequest()-getParam('username')
);
$results = $db-fetchAll($sql);

However, as noted before, it's usually easier and better to use
Zend_Db_Select, as it does this basically for you. More on that below.

 and u meant not just Zend_Db_Select right? u refer to the quoting mechanism.
 Zend_Db_Select by itself just gives a normal SQL right? is
 quoteInto()/where() etc that escapes for SQL? what if i need to escape
 something not in where? maybe in the joins or having or something else? 

Zend_Db_Select does this for you, as the Select objects are adapter
specific. As an example, assuming you are using Sqlite for your
database, if you do the following:

$select = $db-select();
$select-from(array('u' = 'Users'))
   -join(array('g' = 'Groups'), 'u.gid = g.id')
   -where('g.name = ?', $group);

you will get the following SQL:

SELECT u.*, g.* FROM Users AS u
INNER JOIN Groups AS g ON u.gid = g.id 
WHERE (g.name = 'foo')

As you can see, it does the appropriate quoting for the database adapter

Read the Zend_Db chapter. If you use the various quoting mechanisms, the
insert/update/delte methods, and Zend_Db_Select, you'll be protecting
your application quite well from SQL injections.

-- 
Matthew Weier O'Phinney
Project Lead| matt...@zend.com
Zend Framework  | http://framework.zend.com/

Re: [fw-general] Security - Preventing SQL Injections, XSS etc

2009-06-06 Thread Matthew Weier O'Phinney

-- iceangel89 comet2...@gmail.com wrote
(on Saturday, 06 June 2009, 03:12 AM -0700):
 what do i need to know to develop an app that is relatively safe from common
 security issues like SQL Injections, XSS etc etc? 
 
 did i read some where that getRequest()-getParam('something') will be
 filtered by default? 

No, that is not the case, though it has been proposed. The problem with
this approach is that it is difficult to know what data will be
submitted -- and thus how it should be filtered. One possibility would
be to allow injecting a Zend_Filter_Input object, and only allow
retrieving values defined in that object. But this is a change that will
happen only in 2.0.

 btw, if something is filtered/escaped for SQL, i need to unescape it for
 display right? is that handled by ZF by default already? 
 
 when i output for the output in HTML, how do i escape to reduce the risk
 of XSS? 
 what happens if i need to output HTML? i need to disable this behavior? 

The security mantra is filter input, escape output. Within ZF,
filtering in this sense is usually the domain of Zend_Validate, which
allows you to be selective about what you consider valid input, while
escaping is the role of a variety of components, including Zend_View,
Zend_Filter, Zend_Db, and even the various server components.

Escaping happens anytime you are sending data somewhere else -- back to
the browser or other client, or even to the _database_.

What you're actually asking about is two different types of escaping.

When it comes to the database, you should be using Zend_Db_Select, the
adapter's quoting mechanism, or bound parameters. Zend_Db facilitates
all of this. As an example, using Zend_Db_Select's where() method, you
can be certain that the values will be escaped properly:

$select-where('id = ?', $id);

Using either the adapter's or Zend_Db_Table's insert() or update()
methods, you also get appropriate escaping of the values provided.

When it comes to creating markup (HTML), use Zend_View's escape() method
when outputting suspect data:

?php echo $this-escape($this-foo) ?

(In 2.0, we will make escaping the default within Zend_View, and require
you to explicitly ask for raw data if you don't want escaping.)

-- 
Matthew Weier O'Phinney
Project Lead| matt...@zend.com
Zend Framework  | http://framework.zend.com/

Re: [fw-general] Security - Preventing SQL Injections, XSS etc

2009-06-06 Thread Vadim Gabriel

You could use
$this-view-escape

On Sun, Jun 7, 2009 at 6:51 AM, iceangel89 comet2...@gmail.com wrote:



 Matthew Weier O'Phinney-3 wrote:
 
  (In 2.0, we will make escaping the default within Zend_View, and require
  you to explicitly ask for raw data if you don't want escaping.)
 

 that will be much better!

 hmm sometimes if i have a complex query with joins to alot of tables ...
 and
 i dont have time to find out whats the ZF way to do things ... can i use

 $val = escapeSql($this-getRequest()-getParam('username')); // is there a
 escape SQL function?
 $db-fetchAll(SELECT * FROM Users WHERE username = ' . $val . ')

 and u meant not just Zend_Db_Select right? u refer to the quoting
 mechanism.
 Zend_Db_Select by itself just gives a normal SQL right? is
 quoteInto()/where() etc that escapes for SQL? what if i need to escape
 something not in where? maybe in the joins or having or something else?



 --
 View this message in context:
 http://www.nabble.com/Security---Preventing-SQL-Injections%2C-XSS-etc-tp23900449p23907576.html
 Sent from the Zend Framework mailing list archive at Nabble.com.




-- 
Vincent Gabriel.
Lead Developer, Senior Support.
Zend Certified Engineer.
Zend Framework Certified Engineer.
-- http://www.vadimg.co.il/

Re: [fw-general] Security - Preventing SQL Injections, XSS etc

Re: [fw-general] Security - Preventing SQL Injections, XSS etc

Re: [fw-general] Security - Preventing SQL Injections, XSS etc

Re: [fw-general] Security - Preventing SQL Injections, XSS etc

Re: [fw-general] Security - Preventing SQL Injections, XSS etc

5 matches

Site Navigation

Mail list logo

Footer information