WebApp Sec mailing list archives
Re: Anyone have some basic security tips for PHP-programmers?
From: Tommy Gildseth <gildseth () start no>
Date: Wed, 19 Nov 2003 06:16:05 +0100
arek () chelmnet pl wrote:
Good Night (here in Poland)Good Morning (at least here in Nevada)Anyone have any hints for good PHP practices (Looking for kind of a "This is one of the most common PHP security flaws" kind of thing)?Firstly , the easiest way to enable the following lines for every .php script, or into master index.php : foreach ($_GET as $k => $v) { $_GET[$k]=addslashes($_GET[$k]); $v=addslashes($v); $v=ereg_replace(';','',$v); eval(" \$$k = \"$v\" ;"); } foreach ($_POST as $k => $v) { $_POST[$k]=addslashes($_POST[$k]); $v=addslashes($v); $v=ereg_replace(';','',$v); eval(" \$$k = \"$v\" ;"); }
1. This is esentially what magic-quotes does http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpcIf your server doesn't have this enabled, you can enable it with .htaccess for your webarea only. 2. Using ereg_replace for simple string substitution is rather inefficient. Use str_replace()
3. eval is also inefficient, all the time you can use $_GET[$k] = $v;4. At least with mySQL it's not possible to pass multiple chained queries in one mysql_query() call. It is however possible to use f.ex -- to comment out the rest of the query, or in more sophisticated RDBMS, use subqueries. $v=ereg_replace(';','',$v); is therefor inadequate, and probably doesn't do anything to enhance security.
General filtering like that, is often inadequate, and you probably need to do more work. F.ex if it's a numeric value you are inserting into the database, check that it is_numeric(); Escape string values with mysql_escape_string() (or equivilant for other RDBMS, f.ex pg_escape_string())
Tommy Gildseth
Current thread:
- Anyone have some basic security tips for PHP-programmers? Matthews, Chris (Nov 14)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 20)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- <Possible follow-ups>
- Re: Anyone have some basic security tips for PHP-programmers? DownBload (Nov 18)
- RE: Anyone have some basic security tips for PHP-programmers? Keifer, Trey (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? tim (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)