Re: appdb security
Hi, The recent changes you made have resulted in a regression at least in the note edition. \'s and ''s are too much addslashized again. I remember having fixed this some time ago... Thanks. Jonathan signature.asc Description: Ceci est une partie de message numériquement signée
Re: appdb security
Tobias Burnus wrote: Why don't you use mysql_escape_string(...)? http://de.php.net/manual/en/function.mysql-escape-string.php Why not just use PEAR::DB as recommended in the book Essential PHP Security, as it handles multiple SQL interfaces and escapes the data automatically for you, appropriately for the type of database you're using. http://www.devshed.com/c/a/PHP/Accessing-Databases-with-DB/2/
Re: appdb security
On Thu, Jun 08, 2006 at 06:44:15PM -0500, EA Durbin wrote: function makeSafe( $var ) { $var = trim( addslashes( $var ) ); return $var; } $clean['var1'] = makeSafe( $_REQUEST['var1'] ); $clean['var2'] = makeSafe( $_REQUEST['var2'] ); sorry for only throwing things at you guys and not providing any code - but i am currently packed with work :/ why dont create a object, that wrapps the request and makes it safe. then fixing the app is not more like sed action and you can handle stuff in future as you like: $_REQUEST[(['][^']+['])] - Request::get(\1) -- cu pgpIGdBEBgOnK.pgp Description: PGP signature
Re: appdb security
Hi, Jonathan Ernst schrieb: Le jeudi 08 juin 2006 à 11:42 -0400, Chris Morgan a écrit : Can you come up with a non-destructive working example for the appdb website(appdb.winehq.org)? ;-) I ask because I thought we went through this some time ago but I agree that what you say looks like an open issue. Chris Lately I used the following snippet in all my webapps to secure them against sql injection : [...] Why don't you use mysql_escape_string(...)? http://de.php.net/manual/en/function.mysql-escape-string.php Tobias
Re: appdb security
Tobias Burnus wrote: Why don't you use mysql_escape_string(...)? http://de.php.net/manual/en/function.mysql-escape-string.php Tobias The page says it's deprecated and mentions using mysql_real_escape_string instead (http://nl2.php.net/mysql_real_escape_string) HTH, Joris
Re: appdb security
On Thu, Jun 08, 2006 at 11:25:08AM -0400, Chris Morgan wrote: $sQuery = Select versionId from appVersion where appId='$_REQUEST['appId'].';; Who's '' around $_REQUEST should prevent the string from being interpreted as anything but a single value passed as the value of appId. with appId=' or 1=1;'? -- cu pgpseZLsLOL39.pgp Description: PGP signature
Re: appdb security
Can you come up with a non-destructive working example for the appdb website(appdb.winehq.org)? ;-) I ask because I thought we went through this some time ago but I agree that what you say looks like an open issue. Chris On Thursday 08 June 2006 11:35 am, Christoph Frick wrote: On Thu, Jun 08, 2006 at 11:25:08AM -0400, Chris Morgan wrote: $sQuery = Select versionId from appVersion where appId='$_REQUEST['appId'].';; Who's '' around $_REQUEST should prevent the string from being interpreted as anything but a single value passed as the value of appId. with appId=' or 1=1;'?
Re: appdb security
Le jeudi 08 juin 2006 à 11:42 -0400, Chris Morgan a écrit : Can you come up with a non-destructive working example for the appdb website(appdb.winehq.org)? ;-) I ask because I thought we went through this some time ago but I agree that what you say looks like an open issue. Chris Lately I used the following snippet in all my webapps to secure them against sql injection : http://php.net/mysql_real_escape_string under Best practice. ?php function smart_quote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Protect it if it's not an integer if (!is_numeric($value)) { $value = ' . mysql_real_escape_string($value) . '; } return $value; } // Secure query $sQuery = sprintf(SELECT * FROM users WHERE user=%s AND password=%s, smart_quote($_POST['username']), smart_quote($_POST['password'])); mysql_query($query); ? I think it is better than what we have now in AppDB (didn't check it though). If nobody looks at it, I'll check the code after my master thesis (in one month). Jonathan signature.asc Description: Ceci est une partie de message numériquement signée
Re: appdb security
Alright. I'm sold on having to check all user input. We should make this input checking change across the board if you are up for it. $clean = array(); //array of filtered user input + +$clean['catId'] = makeSafe( $_REQUEST['catId'] ); function admin_menu() { -if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId']; -else $catId=; +$clean['catId'] = makeSafe( $_REQUEST['catId'] ); +if ( empty($clean['catId']) ) +{ +$clean['catId']=; +} Is there a reason why we don't do the if(empty()) check inside of makeSafe()? Chris On Thursday 08 June 2006 1:40 pm, EA Durbin wrote: I always use the method of filtering user input as described at the php security consortium. It makes it easier to track tainted user input vs filtered input. If all filtered variables are put in an array it makes it easier to ensure you're using the non tainted variable. http://phpsec.org/projects/guide/1.html#1.4 Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL filtering. From: Jonathan Ernst [EMAIL PROTECTED] To: wine-devel@winehq.com Subject: Re: appdb security Date: Thu, 08 Jun 2006 18:12:20 +0200 Le jeudi 08 juin 2006 أ 11:42 -0400, Chris Morgan a أ�crit : Can you come up with a non-destructive working example for the appdb website(appdb.winehq.org)? ;-) I ask because I thought we went through this some time ago but I agree that what you say looks like an open issue. Chris Lately I used the following snippet in all my webapps to secure them against sql injection : http://php.net/mysql_real_escape_string under Best practice. ?php function smart_quote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Protect it if it's not an integer if (!is_numeric($value)) { $value = ' . mysql_real_escape_string($value) . '; } return $value; } // Secure query $sQuery = sprintf(SELECT * FROM users WHERE user=%s AND password=%s, smart_quote($_POST['username']), smart_quote($_POST['password'])); mysql_query($query); ? I think it is better than what we have now in AppDB (didn't check it though). If nobody looks at it, I'll check the code after my master thesis (in one month). Jonathan signature.asc
Re: appdb security
It will be a large undertaking, but I'll help change this across the board. I'm going out of town for the next 2 days and won't be near my computer, but I can start on it when I get back. From: Chris Morgan [EMAIL PROTECTED] To: wine-devel@winehq.org, EA Durbin [EMAIL PROTECTED] Subject: Re: appdb security Date: Thu, 8 Jun 2006 16:40:55 -0400 Alright. I'm sold on having to check all user input. We should make this input checking change across the board if you are up for it. $clean = array(); //array of filtered user input + +$clean['catId'] = makeSafe( $_REQUEST['catId'] ); function admin_menu() { -if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId']; -else $catId=; +$clean['catId'] = makeSafe( $_REQUEST['catId'] ); +if ( empty($clean['catId']) ) +{ +$clean['catId']=; +} Is there a reason why we don't do the if(empty()) check inside of makeSafe()? Chris On Thursday 08 June 2006 1:40 pm, EA Durbin wrote: I always use the method of filtering user input as described at the php security consortium. It makes it easier to track tainted user input vs filtered input. If all filtered variables are put in an array it makes it easier to ensure you're using the non tainted variable. http://phpsec.org/projects/guide/1.html#1.4 Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL filtering. From: Jonathan Ernst [EMAIL PROTECTED] To: wine-devel@winehq.com Subject: Re: appdb security Date: Thu, 08 Jun 2006 18:12:20 +0200 Le jeudi 08 juin 2006 أ 11:42 -0400, Chris Morgan a أ�crit : Can you come up with a non-destructive working example for the appdb website(appdb.winehq.org)? ;-) I ask because I thought we went through this some time ago but I agree that what you say looks like an open issue. Chris Lately I used the following snippet in all my webapps to secure them against sql injection : http://php.net/mysql_real_escape_string under Best practice. ?php function smart_quote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Protect it if it's not an integer if (!is_numeric($value)) { $value = ' . mysql_real_escape_string($value) . '; } return $value; } // Secure query $sQuery = sprintf(SELECT * FROM users WHERE user=%s AND password=%s, smart_quote($_POST['username']), smart_quote($_POST['password'])); mysql_query($query); ? I think it is better than what we have now in AppDB (didn't check it though). If nobody looks at it, I'll check the code after my master thesis (in one month). Jonathan signature.asc
Re: appdb security
Is there a reason why we don't do the if(empty()) check inside of makeSafe()? as in put the if(empty()) inside of the function itself, or pass if( empty (makeSafe( $_REQUEST['appId'] ) ) ) when we assign it? the reason I didn't put it in the makeSafe function was because we were testing to see if the variable was isset or empty and determining on the point of the application the result was either set to or 0, you could do it inside of the makeSafe() function but returning may not always be the desired results. you could call the empty() test while you were assigning it, I just always start out assigning all of the user input variables I'm going to use at the top of the page by passing them through makeSafe. function makeSafe( $var ) { $var = trim( addslashes( $var ) ); return $var; } $clean['var1'] = makeSafe( $_REQUEST['var1'] ); $clean['var2'] = makeSafe( $_REQUEST['var2'] ); then any subsequent test called upon the variables are ensured to be clean. if your desired output of makeSafe is to be if its empty then you could put the empty() test inside of makeSafe, but further down in the app we were testing for empty and returning 0.