Re: [PHP] Quotes in GET variables
> Anyway, it's not a big thing if you're _really_ stringent about how you > check every single variable which is used in a database query, > system/passthru/exec, or eval command, and your checking methods are > flawless, but otherwise it's just best to go to the trouble of hacking > around the input explicitly. Obviously my code is perfect, so I don't need to worry - but I'll leave it set as default anyway :-) One thing I do avoid is using register_globals, which removes some of the threats suggested elsewhere in this thread. I do validate user input fairly thoroughly, but it's always better to be safe. The reason I asked the question was because I wasn't sure the behavior I was seeing was correct, and didn't want to fix loads of code that I'd have to un-fix later on. Now I know what's going on I'll go ahead with the fixes. Saves me remembering to change PHP.INI on other machines, if nothing else. Thanks for the help. -- Mark Rogers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
Basically, use one of the escape functions :) For instance, looking at this piece of code: $result = mysql_query("SELECT * FROM table WHERE username='$username' AND password='$password'"); Now, you have the variables $username and $password to worry about. Now we ask ourselves, what characters are valid entrys here? If we know that usernames and passwords can't contain spaces, we'll strip out whitespace. If A-Z, 0-9, and underscores are the only legal characters, we'll strip out anything that isn't a "word character". Using this kind of "what's legal here?" questioning is typically the best way to handle things. It ensures that no illegal entries can be in your code so that no errors are spit out such as "this is not a legal resource identifier". It also ensures no 'massaged' data can cause an unauthorized user to see something they shouldn't see. Then it only comes down to ensuring that legal characters can't be used in some fashion which is not intended. I tend to limit myself to using only word characters and whitespace, which seems safe in most cases. If you need to use some other data, always use one of the PHP escape functions. The final method to use is to ask yourself, "what variables can be passed via session/cookie/put/get?". All other variables should be explicitly set to _something_ early in the code before they would normally be used, and in a way that ensures they are being set to something no matter what flow the program takes (in other words, don't set them inside a conditional loop). This is the cause for the majority of security holes. Often a program evaluates a variable which is conditionally set inside the code without ensuring that it's "clean". For example: if ($submit) { $sql = "SELECT * FROM table"; } // bunch of code here $result = mysql_query($sql); If the user can massage the transaction so that $submit will evaluate to false (such as appending "?submit=" onto the end of you're page's URL), they are now able to query your database with absolutely any query they like. SELECT, UPDATE, or DROP, it's their choice. To be safe you need only insert one line before the loop: $sql = ""; So when using a variable which shouldn't be submitted from an outside source, be sure that it's explicitly set to something before any evaluation of that variable is done. And that's about all I can think of. Still, it's best just to leave the function on as an extra bit of security. You can never be too safe. Plutarck ""Boget, Chris"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Anyway, it's not a big thing if you're _really_ stringent about how you > > check every single variable which is used in a database query, > > system/passthru/exec, or eval command, and your checking methods are > > flawless, but otherwise it's just best to go to the trouble of hacking > > around the input explicitly. > > What would you do to go about doing this? How can you be > _really stringent_ in checking your variables? Check that they > have a value? > > Chris > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Quotes in GET variables
> Anyway, it's not a big thing if you're _really_ stringent about how you > check every single variable which is used in a database query, > system/passthru/exec, or eval command, and your checking methods are > flawless, but otherwise it's just best to go to the trouble of hacking > around the input explicitly. What would you do to go about doing this? How can you be _really stringent_ in checking your variables? Check that they have a value? Chris
Re: [PHP] Quotes in GET variables
I saw an article just a few days ago on "Hacking PHPNuke" that was an excellant example of how the escape GPS thing saved a program from a major security hole caused by a very minor oversite in less than 0.01% of the code. Can't remember the name of the site...I think it was linked from TheRegister.co.uk, but I can't recall. It had a kind of metallic greyish look with small print. Anyway, it's not a big thing if you're _really_ stringent about how you check every single variable which is used in a database query, system/passthru/exec, or eval command, and your checking methods are flawless, but otherwise it's just best to go to the trouble of hacking around the input explicitly. Unless you're setting of PHP will only effect your application and no one elses, and you don't have to worry about having the script run on a system who's config you don't control, then knock yourself out. But it's a good idea to pretend that the default settings of PHP can't be changed, since most people have those settings and you don't want your code to be "system dependent" :) Plutarck ""Mark Rogers"" <[EMAIL PROTECTED]> wrote in message 9eb0sl$vvr$[EMAIL PROTECTED]">news:9eb0sl$vvr$[EMAIL PROTECTED]... > > It's a feature of PHP that it automatically escapes data submitted in > > PUT/GET/etc. > > It didn't seem to be happening with POST which is why I thought it odd, but > that probably means I didn't test properly :-) > > > It's nice in that it adds to how secure PHP code is, but it can be a > hassle. > > Out of curiousity, what are the security implications? Presumably a failure > to validate input properly leading to unintended actions, but I can't think > of any examples to help me decide whether to turn this off. > > Thanks for the quick response. > -- > Mark Rogers > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
Hi Mark, > > It's nice in that it adds to how secure PHP code is, but it can be a > hassle. > > Out of curiousity, what are the security implications? Presumably a failure > to validate input properly leading to unintended actions, but I can't think > of any examples to help me decide whether to turn this off. Most default to set magic_quotes_gpc on - otherwise, to safeguard against (amongst many other things) mysql or other database errors, all fields that aren't integers would have to have addslashes() applied to them. Try entering a string like this: $string = "http://www.php.net\";>PHP"; $string = stripslashes($string); $insert = @mysql_query("INSERT INTO table (string) VALUES ('$string')") or die (mysql_error()); And see how fast you run into errors ;) James. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
> It's a feature of PHP that it automatically escapes data submitted in > PUT/GET/etc. It didn't seem to be happening with POST which is why I thought it odd, but that probably means I didn't test properly :-) > It's nice in that it adds to how secure PHP code is, but it can be a hassle. Out of curiousity, what are the security implications? Presumably a failure to validate input properly leading to unintended actions, but I can't think of any examples to help me decide whether to turn this off. Thanks for the quick response. -- Mark Rogers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
It's a feature of PHP that it automatically escapes data submitted in PUT/GET/etc. It's nice in that it adds to how secure PHP code is, but it can be a hassle. Not sure if there is a function which removes escape characters will leaving normal backslashes alone. If you REALLY need to turn it off I believe it's the magic_quotes_gpc option. Plutarck ""Mark Rogers"" <[EMAIL PROTECTED]> wrote in message 9eavif$dks$[EMAIL PROTECTED]">news:9eavif$dks$[EMAIL PROTECTED]... > If I submit a string to a script via GET which contains quotes, how should > they appear in my script? > > Eg: > --- test.php --- > echo $HTTP_GET_VARS['test']; > > Go to: > test.php?test=this+doesn%27t+work > > .. and you get: > this doesn\'t work > > (Char 27 is a single quote. Echoing $test gives the same result.) > > I can use stripslashes lose the escape char, but should this be necessary? > I'm using v4.0.4pl1 > > -- > Mark Rogers > Lose the -news in the email address if replying direct > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Quotes in GET variables
If I submit a string to a script via GET which contains quotes, how should they appear in my script? Eg: --- test.php --- echo $HTTP_GET_VARS['test']; Go to: test.php?test=this+doesn%27t+work .. and you get: this doesn\'t work (Char 27 is a single quote. Echoing $test gives the same result.) I can use stripslashes lose the escape char, but should this be necessary? I'm using v4.0.4pl1 -- Mark Rogers Lose the -news in the email address if replying direct -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]