Re: [fw-general] Security - Preventing SQL Injections, XSS etc
-- iceangel89 wrote (on Saturday, 06 June 2009, 08:51 PM -0700): > Matthew Weier O'Phinney-3 wrote: > > (In 2.0, we will make escaping the default within Zend_View, and require > > you to explicitly ask for raw data if you don't want escaping.) > > that will be much better! > > hmm sometimes if i have a complex query with joins to alot of tables > ... and i dont have time to find out whats the ZF way to do things ... > can i use > > $val = escapeSql($this->getRequest()->getParam('username')); // is there a > "escape SQL" function? > $db->fetchAll("SELECT * FROM Users WHERE username = '" . $val . "'") Each adapter has a quoteInto() method: $sql = $db->quoteInto( 'SELECT * FROM Users WHERE username = ?', $this->getRequest()->getParam('username') ); $results = $db->fetchAll($sql); However, as noted before, it's usually easier and better to use Zend_Db_Select, as it does this basically for you. More on that below. > and u meant not just Zend_Db_Select right? u refer to the quoting mechanism. > Zend_Db_Select by itself just gives a normal SQL right? is > quoteInto()/where() etc that escapes for SQL? what if i need to escape > something not in where? maybe in the joins or having or something else? Zend_Db_Select does this for you, as the Select objects are adapter specific. As an example, assuming you are using Sqlite for your database, if you do the following: $select = $db->select(); $select->from(array('u' => 'Users')) ->join(array('g' => 'Groups'), 'u.gid = g.id') ->where('g.name = ?', $group); you will get the following SQL: SELECT "u".*, "g".* FROM "Users" AS "u" INNER JOIN "Groups" AS "g" ON u.gid = g.id WHERE (g.name = 'foo') As you can see, it does the appropriate quoting for the database adapter Read the Zend_Db chapter. If you use the various quoting mechanisms, the insert/update/delte methods, and Zend_Db_Select, you'll be protecting your application quite well from SQL injections. -- Matthew Weier O'Phinney Project Lead| matt...@zend.com Zend Framework | http://framework.zend.com/
Re: [fw-general] Security - Preventing SQL Injections, XSS etc
On Sun, Jun 7, 2009 at 11:12 AM, iceangel89 wrote: > > oh Matthew Weier O'Phinney mentioned that ... i meant when escaping for SQL > this time. Read this first: http://framework.zend.com/manual/en/zend.db.html#zend.db.adapter.quoting Then take a look at this example: http://framework.zend.com/manual/en/zend.db.html#zend.db.adapter.select.fetchassoc Till
Re: [fw-general] Security - Preventing SQL Injections, XSS etc
oh Matthew Weier O'Phinney mentioned that ... i meant when escaping for SQL this time. vince. wrote: > > You could use > $this->view->escape > -- View this message in context: http://www.nabble.com/Security---Preventing-SQL-Injections%2C-XSS-etc-tp23900449p23909053.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Security - Preventing SQL Injections, XSS etc
You could use $this->view->escape On Sun, Jun 7, 2009 at 6:51 AM, iceangel89 wrote: > > > Matthew Weier O'Phinney-3 wrote: > > > > (In 2.0, we will make escaping the default within Zend_View, and require > > you to explicitly ask for raw data if you don't want escaping.) > > > > that will be much better! > > hmm sometimes if i have a complex query with joins to alot of tables ... > and > i dont have time to find out whats the ZF way to do things ... can i use > > $val = escapeSql($this->getRequest()->getParam('username')); // is there a > "escape SQL" function? > $db->fetchAll("SELECT * FROM Users WHERE username = '" . $val . "'") > > and u meant not just Zend_Db_Select right? u refer to the quoting > mechanism. > Zend_Db_Select by itself just gives a normal SQL right? is > quoteInto()/where() etc that escapes for SQL? what if i need to escape > something not in where? maybe in the joins or having or something else? > > > > -- > View this message in context: > http://www.nabble.com/Security---Preventing-SQL-Injections%2C-XSS-etc-tp23900449p23907576.html > Sent from the Zend Framework mailing list archive at Nabble.com. > > -- Vincent Gabriel. Lead Developer, Senior Support. Zend Certified Engineer. Zend Framework Certified Engineer. -- http://www.vadimg.co.il/
Re: [fw-general] Security - Preventing SQL Injections, XSS etc
Matthew Weier O'Phinney-3 wrote: > > (In 2.0, we will make escaping the default within Zend_View, and require > you to explicitly ask for raw data if you don't want escaping.) > that will be much better! hmm sometimes if i have a complex query with joins to alot of tables ... and i dont have time to find out whats the ZF way to do things ... can i use $val = escapeSql($this->getRequest()->getParam('username')); // is there a "escape SQL" function? $db->fetchAll("SELECT * FROM Users WHERE username = '" . $val . "'") and u meant not just Zend_Db_Select right? u refer to the quoting mechanism. Zend_Db_Select by itself just gives a normal SQL right? is quoteInto()/where() etc that escapes for SQL? what if i need to escape something not in where? maybe in the joins or having or something else? -- View this message in context: http://www.nabble.com/Security---Preventing-SQL-Injections%2C-XSS-etc-tp23900449p23907576.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Security - Preventing SQL Injections, XSS etc
-- iceangel89 wrote (on Saturday, 06 June 2009, 03:12 AM -0700): > what do i need to know to develop an app that is relatively safe from common > security issues like SQL Injections, XSS etc etc? > > did i read some where that getRequest()->getParam('something') will be > filtered by default? No, that is not the case, though it has been proposed. The problem with this approach is that it is difficult to know what data will be submitted -- and thus how it should be filtered. One possibility would be to allow injecting a Zend_Filter_Input object, and only allow retrieving values defined in that object. But this is a change that will happen only in 2.0. > btw, if something is filtered/escaped for SQL, i need to unescape it for > display right? is that handled by ZF by default already? > > when i output for the output in HTML, how do i "escape" to reduce the risk > of XSS? > what happens if i need to output HTML? i need to disable this behavior? The security mantra is "filter input, escape output." Within ZF, filtering in this sense is usually the domain of Zend_Validate, which allows you to be selective about what you consider valid input, while escaping is the role of a variety of components, including Zend_View, Zend_Filter, Zend_Db, and even the various server components. Escaping happens anytime you are sending data somewhere else -- back to the browser or other client, or even to the _database_. What you're actually asking about is two different types of escaping. When it comes to the database, you should be using Zend_Db_Select, the adapter's quoting mechanism, or bound parameters. Zend_Db facilitates all of this. As an example, using Zend_Db_Select's where() method, you can be certain that the values will be escaped properly: $select->where('id = ?', $id); Using either the adapter's or Zend_Db_Table's insert() or update() methods, you also get appropriate escaping of the values provided. When it comes to creating markup (HTML), use Zend_View's escape() method when outputting suspect data: escape($this->foo) ?> (In 2.0, we will make escaping the default within Zend_View, and require you to explicitly ask for raw data if you don't want escaping.) -- Matthew Weier O'Phinney Project Lead| matt...@zend.com Zend Framework | http://framework.zend.com/