Re: [PHP] Quotes in GET variables
It's a feature of PHP that it automatically escapes data submitted in PUT/GET/etc. It's nice in that it adds to how secure PHP code is, but it can be a hassle. Not sure if there is a function which removes escape characters will leaving normal backslashes alone. If you REALLY need to turn it off I believe it's the magic_quotes_gpc option. Plutarck ""Mark Rogers"" <[EMAIL PROTECTED]> wrote in message 9eavif$dks$[EMAIL PROTECTED]">news:9eavif$dks$[EMAIL PROTECTED]... > If I submit a string to a script via GET which contains quotes, how should > they appear in my script? > > Eg: > --- test.php --- > echo $HTTP_GET_VARS['test']; > > Go to: > test.php?test=this+doesn%27t+work > > .. and you get: > this doesn\'t work > > (Char 27 is a single quote. Echoing $test gives the same result.) > > I can use stripslashes lose the escape char, but should this be necessary? > I'm using v4.0.4pl1 > > -- > Mark Rogers > Lose the -news in the email address if replying direct > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
> It's a feature of PHP that it automatically escapes data submitted in > PUT/GET/etc. It didn't seem to be happening with POST which is why I thought it odd, but that probably means I didn't test properly :-) > It's nice in that it adds to how secure PHP code is, but it can be a hassle. Out of curiousity, what are the security implications? Presumably a failure to validate input properly leading to unintended actions, but I can't think of any examples to help me decide whether to turn this off. Thanks for the quick response. -- Mark Rogers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
Hi Mark,
> > It's nice in that it adds to how secure PHP code is, but it can be a
> hassle.
>
> Out of curiousity, what are the security implications? Presumably a
failure
> to validate input properly leading to unintended actions, but I can't
think
> of any examples to help me decide whether to turn this off.
Most default to set magic_quotes_gpc on - otherwise, to safeguard against
(amongst many other things) mysql or other database errors, all fields that
aren't integers would have to have addslashes() applied to them. Try
entering a string like this:
$string = "http://www.php.net\";>PHP";
$string = stripslashes($string);
$insert = @mysql_query("INSERT INTO table (string) VALUES ('$string')")
or die (mysql_error());
And see how fast you run into errors ;)
James.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
I saw an article just a few days ago on "Hacking PHPNuke" that was an excellant example of how the escape GPS thing saved a program from a major security hole caused by a very minor oversite in less than 0.01% of the code. Can't remember the name of the site...I think it was linked from TheRegister.co.uk, but I can't recall. It had a kind of metallic greyish look with small print. Anyway, it's not a big thing if you're _really_ stringent about how you check every single variable which is used in a database query, system/passthru/exec, or eval command, and your checking methods are flawless, but otherwise it's just best to go to the trouble of hacking around the input explicitly. Unless you're setting of PHP will only effect your application and no one elses, and you don't have to worry about having the script run on a system who's config you don't control, then knock yourself out. But it's a good idea to pretend that the default settings of PHP can't be changed, since most people have those settings and you don't want your code to be "system dependent" :) Plutarck ""Mark Rogers"" <[EMAIL PROTECTED]> wrote in message 9eb0sl$vvr$[EMAIL PROTECTED]">news:9eb0sl$vvr$[EMAIL PROTECTED]... > > It's a feature of PHP that it automatically escapes data submitted in > > PUT/GET/etc. > > It didn't seem to be happening with POST which is why I thought it odd, but > that probably means I didn't test properly :-) > > > It's nice in that it adds to how secure PHP code is, but it can be a > hassle. > > Out of curiousity, what are the security implications? Presumably a failure > to validate input properly leading to unintended actions, but I can't think > of any examples to help me decide whether to turn this off. > > Thanks for the quick response. > -- > Mark Rogers > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Quotes in GET variables
> Anyway, it's not a big thing if you're _really_ stringent about how you > check every single variable which is used in a database query, > system/passthru/exec, or eval command, and your checking methods are > flawless, but otherwise it's just best to go to the trouble of hacking > around the input explicitly. What would you do to go about doing this? How can you be _really stringent_ in checking your variables? Check that they have a value? Chris
Re: [PHP] Quotes in GET variables
Basically, use one of the escape functions :)
For instance, looking at this piece of code:
$result = mysql_query("SELECT * FROM table WHERE username='$username' AND
password='$password'");
Now, you have the variables $username and $password to worry about. Now we
ask ourselves, what characters are valid entrys here?
If we know that usernames and passwords can't contain spaces, we'll strip
out whitespace. If A-Z, 0-9, and underscores are the only legal characters,
we'll strip out anything that isn't a "word character".
Using this kind of "what's legal here?" questioning is typically the best
way to handle things. It ensures that no illegal entries can be in your code
so that no errors are spit out such as "this is not a legal resource
identifier". It also ensures no 'massaged' data can cause an unauthorized
user to see something they shouldn't see.
Then it only comes down to ensuring that legal characters can't be used in
some fashion which is not intended. I tend to limit myself to using only
word characters and whitespace, which seems safe in most cases. If you need
to use some other data, always use one of the PHP escape functions.
The final method to use is to ask yourself, "what variables can be passed
via session/cookie/put/get?". All other variables should be explicitly set
to _something_ early in the code before they would normally be used, and in
a way that ensures they are being set to something no matter what flow the
program takes (in other words, don't set them inside a conditional loop).
This is the cause for the majority of security holes. Often a program
evaluates a variable which is conditionally set inside the code without
ensuring that it's "clean". For example:
if ($submit)
{
$sql = "SELECT * FROM table";
}
// bunch of code here
$result = mysql_query($sql);
If the user can massage the transaction so that $submit will evaluate to
false (such as appending "?submit=" onto the end of you're page's URL), they
are now able to query your database with absolutely any query they like.
SELECT, UPDATE, or DROP, it's their choice. To be safe you need only insert
one line before the loop:
$sql = "";
So when using a variable which shouldn't be submitted from an outside
source, be sure that it's explicitly set to something before any evaluation
of that variable is done.
And that's about all I can think of. Still, it's best just to leave the
function on as an extra bit of security. You can never be too safe.
Plutarck
""Boget, Chris"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Anyway, it's not a big thing if you're _really_ stringent about how you
> > check every single variable which is used in a database query,
> > system/passthru/exec, or eval command, and your checking methods are
> > flawless, but otherwise it's just best to go to the trouble of hacking
> > around the input explicitly.
>
> What would you do to go about doing this? How can you be
> _really stringent_ in checking your variables? Check that they
> have a value?
>
> Chris
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
> Anyway, it's not a big thing if you're _really_ stringent about how you > check every single variable which is used in a database query, > system/passthru/exec, or eval command, and your checking methods are > flawless, but otherwise it's just best to go to the trouble of hacking > around the input explicitly. Obviously my code is perfect, so I don't need to worry - but I'll leave it set as default anyway :-) One thing I do avoid is using register_globals, which removes some of the threats suggested elsewhere in this thread. I do validate user input fairly thoroughly, but it's always better to be safe. The reason I asked the question was because I wasn't sure the behavior I was seeing was correct, and didn't want to fix loads of code that I'd have to un-fix later on. Now I know what's going on I'll go ahead with the fixes. Saves me remembering to change PHP.INI on other machines, if nothing else. Thanks for the help. -- Mark Rogers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
