Re: Scripting Languages and Secure Coding + code

["Ghita Gh. Serban" <sasa () stonet ro>]

hello

thanks all for the replys and opinions. i made some tests, to see what
functions should i use to validate(sanitize) an user input such as
usernames.
the following code:
--------------------------------cut---------------------------------------
<?php
$username="'use\"r\\na'me1,2`3'"; //the username variable takes a value
$username0=mysql_escape_string($username);
$username1=mysql_real_escape_string($username);
$username2=addslashes($username);
$username3=stripslashes($username);
/*************************************/
echo("<!-- BEGIN -->\n");
echo("<b>". $username . "</b><br>---------------<br>\n");
if(ereg('[^a-zA-Z0-9_]', $username)){
 echo("With function <b>ereg()</b>: ");
 echo "".$username." must contain only letters,numbers and _
character.<br>\n";
}else{
 echo("With function <b>ereg()</b>: ");
 echo "".$username." is a valid username!<br>\n";
}
echo("With function <b>mysql_escape_string()</b>: " . $username0 .
"<br>\n");
echo("With function <b>mysql_real_escape_string()</b>: " . $username1 .
"<br>\n");
echo("With function <b>addslashes()</b>: " . $username2 . "<br>\n");
echo("With function <b>stripslashes()</b>: " . $username3 . "\n");
echo("<!-- END -->");
/*************************************/
?>
--------------------------------cut---------------------------------------
echoes:

++++++++++++++++++++++++++++++++++++++++++++++++++
'use"r\na'me1,2`3'
---------------
With function ereg(): 'use"r\na'me1,2`3' must contain only letters,numbers
and _ character.
With function mysql_escape_string(): \'use\"r\\na\'me1,2`3\'
With function mysql_real_escape_string(): \'use\"r\\na\'me1,2`3\'
With function addslashes(): \'use\"r\\na\'me1,2`3\'
With function stripslashes(): 'use"rna'me1,2`3'
++++++++++++++++++++++++++++++++++++++++++++++++++

which demonstrates that if we user a function like ereg() or preg_match()
(which uses a Perl-compatible regular expression syntax), we have better
chances to filter the user input and finally make a safe query to database
using mysql_real_escape_string() or mysql_escape_string() or others like
is_numeric(), depends on the query.

Please take a look at :
http://www.securityfocus.com/archive/1/346484/2003-12-02/2003-12-08/0
The message was posted yesterday if i am not mistaking. Its the same thing
we discussed couple of posts ago. Very interesting.

Best regards,

Ghita Gh. Serban
administrator
Fastweb Romania
www.fastweb.ro


----- Original Message ----- 
From: "Louis Solomon [SteelBytes]" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 4:37 AM
Subject: Re: [SC-L] Scripting Languages and Secure Coding + code


> I use the php 4.3.x func mysql_real_escape_string()
>
> eg, $query = 'select * from users where
> username="'.mysql_real_escape_string($_REQUEST['username']).'" and
password=
> ....
>
> this way it doesn't matter what the user enters.
>
> also, note that the use of "
> eg
> if the user enters
>     Fred"Joe
> then the query would be
>     ... username="Fred\"Joe" ...
>
> of course with different DBs, the escaping of chars maybe different.
>
> Louis Solomon
> www.steelbytes.com
>
> ----- Original Message ----- 
> From: "Jeremy Thibeaux" <[EMAIL PROTECTED]>
> To: "Ghita Serban" <[EMAIL PROTECTED]>; "SC-L" <[EMAIL PROTECTED]>
> Sent: Friday, December 05, 2003 2:34 AM
> Subject: Re: [SC-L] Scripting Languages and Secure Coding + code
>
>
> > Hi Ghita,
> >
> > First off, thanks for the practical example!
> >
> > > $username=stripslashes(trim($_POST['username']));
> > > $password=stripslashes(trim($_POST['password']));
> >
> > I am not sure why you "stripslashes" for the user name
> > and password.  If the slashes are there (due to
> > magic_quotes being enabled), they will protect you
> > from the user entering arbitrary SQL code in the input
> > variable.  If they aren't there, you should consider
> > adding them using AddSlashes. Given the way you
> > construct the query (are you missing single quotes
> > around the variables?):
> >
> > > $select_the_user="SELECT * FROM users WHERE
> > > username=".$username." AND
> > > password=".$password." LIMIT 1";
> >
> > Imagine if the user entered:
> >
> > "someuser' OR username ='someuser" for $username.
> > Your SQL statement would turn out:
> >
> > SELECT * FROM users WHERE
> > username='someuser' OR username='someuser' AND
> > password='whatever' LIMIT 1
> >
> > Which would always selects the user as long as the
> > user guessed the username correctly (pw no longer
> > used).  The slashes give you protection against this
> > by ensuring that any quotes included in the user's
> > input are escaped by a slash so that you end up with:
> >
> > SELECT * FROM users WHERE
> > username='someuser\' OR username=\'someuser' AND
> > password='whatever' LIMIT 1
> >
> > Your intended logic is preserved.
> >
> > Regarding other questions, I'll let other folks take a
> > crack.
> >
> > Jeremy Thibeaux
> > Lucid Factory, inc.