Alright. I'm sold on having to check all user input. We should make this
input checking change across the board if you are up for it.
$clean = array(); //array of filtered user input
+
+$clean['catId'] = makeSafe( $_REQUEST['catId'] );
function admin_menu()
{
- if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId'];
- else $catId="";
+ $clean['catId'] = makeSafe( $_REQUEST['catId'] );
+ if ( empty($clean['catId']) )
+ {
+ $clean['catId']="";
+ }
Is there a reason why we don't do the if(empty()) check inside of makeSafe()?
Chris
On Thursday 08 June 2006 1:40 pm, EA Durbin wrote:
> I always use the method of filtering user input as described at the php
> security consortium. It makes it easier to track tainted user input vs
> filtered input. If all filtered variables are put in an array it makes it
> easier to ensure you're using the non tainted variable.
>
> http://phpsec.org/projects/guide/1.html#1.4
>
> Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL
> filtering.
>
> >From: Jonathan Ernst <[EMAIL PROTECTED]>
> >To: wine-devel@winehq.com
> >Subject: Re: appdb security
> >Date: Thu, 08 Jun 2006 18:12:20 +0200
> >
> >Le jeudi 08 juin 2006 أ 11:42 -0400, Chris Morgan a أ�crit :
> > > Can you come up with a non-destructive working example for the appdb
> > > website(appdb.winehq.org)? ;-)
> > >
> > > I ask because I thought we went through this some time ago but I agree
> >
> >that
> >
> > > what you say looks like an open issue.
> > >
> > > Chris
> >
> >Lately I used the following snippet in all my webapps to secure them
> >against sql injection :
> >
> >http://php.net/mysql_real_escape_string under "Best practice".
> >
> ><?php
> >function smart_quote($value)
> >{
> > // Stripslashes
> > if (get_magic_quotes_gpc()) {
> > $value = stripslashes($value);
> > }
> > // Protect it if it's not an integer
> > if (!is_numeric($value)) {
> > $value = "'" . mysql_real_escape_string($value) . "'";
> > }
> > return $value;
> >}
> >
> >// Secure query
> >$sQuery = sprintf("SELECT *
> > FROM users
> > WHERE user=%s AND password=%s",
> > smart_quote($_POST['username']),
> > smart_quote($_POST['password']));
> >mysql_query($query);
> >?>
> >
> >I think it is better than what we have now in AppDB (didn't check it
> >though). If nobody looks at it, I'll check the code after my master
> >thesis (in one month).
> >
> >Jonathan
> >
> >
> ><< signature.asc >>
