Secure Coding mailing list archives
Re: Scripting Languages and Secure Coding + code
From: "David M. Wilson" <dw-securecoding.org () botanicus net>
Date: Fri, 05 Dec 2003 21:16:06 +0000
On Thu, Dec 04, 2003 at 03:57:21PM -0700, Paul R. C. Ming wrote:
In general, it's better to check that input is valid, rather than trying to check for invalid input or trying to sanitize the input.
Checking for valid input should occur anyway; What if '"' or "'" is valid input? Not every SQL database just contains usernames you know. ;)
For this case, you would want to check that the username contains only valid characters (e.g. letters and digits). Match the username against a regular expression, such as ^[A-Za-z][A-Za-z0-9]{0,31}$. If it matches, it's okay, otherwise, tell the user it's not a valid username and what makes a valid username.
But in the end, you still have a function somewhere that accepts a validated username and passes it unescaped to the SQL server, right? In many years from now when you have left your company and the codebase is passed on to an internationalisation team, who, as part of their work, expand the validation function to accept valid characters in weird character sets. Now your function gets characters passed to it which map to '"' and "'" again, and you are in trouble. By ignoring the issue in the first place you introduced a security bug in the future.
Going on the assumption that PHP does not use \0 to indicate the end of a string (as i said, i don't know PHP), the only thing You do with the password field directly is check that it is not empty, then put it through MD5. I think MD5 is sanitation enough. What do others say? (This would also give You a really tiny speed improvement. :)
Using MD5 gives a speed improvement? What planet are you from. ;)
I believe that running the password through MD5 is enough, because PHP's md5(string)'s output is going to be a 32 character hexadecimal string. (Just don't use the md5()'s raw option...)
My point from above still stands. You are skipping data abstraction in favour of limiting inputs which would trigger a bug.
The PHP manual says that they don't escape % or _. I don't know SQL that well, so what implications does that have?
If you pass your escaped string as the operand to a "LIKE" clause, then the user input could then expand your wildcard match. David.
Current thread:
- Re: Scripting Languages and Secure Coding M. Buchzik (Dec 03)
- Re: Scripting Languages and Secure Coding Timo Sirainen (Dec 03)
- Re: Scripting Languages and Secure Coding Martin Stricker (Dec 03)
- Re: Scripting Languages and Secure Coding + code Ghita Serban (Dec 04)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 04)
- Re: Scripting Languages and Secure Coding + code Andrew Rucker Jones (Dec 04)
- Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 09)
- Re: Scripting Languages and Secure Coding + code Carsten Kuckuk (Dec 09)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- Re: Scripting Languages and Secure Coding + code securecodingorg (Dec 04)
- Re: Scripting Languages and Secure Coding + code Jeremy Thibeaux (Dec 04)