WebApp Sec mailing list archives
RE: Anyone have some basic security tips for PHP-programmers?
From: <arek () chelmnet pl>
Date: Thu, 20 Nov 2003 17:23:43 +0100
1. This is esentially what magic-quotes does http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc If your server doesn't have this enabled, you can enable it with .htaccess for your webarea only.
OK, i knew it, right
2. Using ereg_replace for simple string substitution is rather inefficient. Use str_replace()
OK, right
3. eval is also inefficient, all the time you can use $_GET[$k] = $v;
YES, in this case
4. At least with mySQL it's not possible to pass multiple chained queries in one mysql_query() call. It is however possible to use f.ex -- to comment out the rest of the query, or in more sophisticated RDBMS, use subqueries. $v=ereg_replace(';','',$v); is therefor inadequate, and probably doesn't do anything to enhance security.
Why?? if i cut all the possible SQL_INJECTION characters of my variables from Postet/Get/Other possible sources (files, other), so in this case, where the SQL_INJECTION therefore could came from ??? in my opinion, it is better not to enable user to type his messages in my services with using any of that: "hello i'm Jorge" ( i mean \' ) So after including the uppper typed instruction can i be 100% sure about SQL_INJECTION (of direct typing viariables) is not possible ?
General filtering like that, is often inadequate, and you probably need to do more work. F.ex if it's a numeric value you are inserting into the database, check that it is_numeric();
Yes, but this takes more time of programming, so in devellopping i think, that better is firstly to leave the performance to next stage of proggramming (marking these places in source : "//TO_DO")
Escape string values with mysql_escape_string() (or equivilant for other RDBMS, f.ex pg_escape_string())
Yes' but there is always the possibility to evaluate the exploit code putted before to MYSQL db which was passed by any of escape function, I beware of that, so i disable all possibilites of any evaluate strings ( ' ` ; $ \ ) not to be anywhere in the system.
From the other topic,,,
the James Mitchell [reductor () askmiky com] has informed me about the possibility of exploiting FUNCTION_INIT() code, he wa right,,, ( the previous code) FUNCTION_INIT () { if($_POST[FUNCTION_INIT]) { $_POST[FUNCTION_INIT]($ARG1,$ARG1_VAL) ; } else if($FUNCTION_INIT) { $FUNCTION_INIT($ARG1,$ARG1_VAL); } i can't change the way of my program works, but,,, i thought about simple way to prevent of any possible exploiting,,, here is my project: the index.php after succesful login has a several URL aviable - one with index.php?FUNCTION_INIT=USER_VIEV&ID=1, the HREF is created with function inside - CREATE_HREF, which does that: function CREATE_HREF($FUNCTION_INIT,$HREF) { echo "$HREF" ; $_SESSION_POSSIBLE[FUNCTIONS_NAMES][$_SESSION_POSSIBLE[FUNCTIONS_NAMES_ID]]= $FUNCTION_INIT; $_SESSION_POSSIBLE[FUNCTIONS_NAMES_ID]++ ; } and the modified FUNCTION_INIT function now has the following code included: FUNCTION_INIT () { $DIE_OR_NOT="DIE"; foreach ($_SESSION_POSSIBLE[FUNCTIONS_NAMES] as $_SESSION_POSSIBLE_TEMP) { if($_SESSION_POSSIBLE_TEMP==$FUNCTION_INIT) $DIE_OR_NOT="NOT_DIE"; } if($DIE_OR_NOT=="DIE") die ('Unsupported typed function') ; if($_POST[FUNCTION_INIT]) { $_POST[FUNCTION_INIT]($ARG1,$ARG1_VAL) ; } else if($FUNCTION_INIT) { $FUNCTION_INIT($ARG1,$ARG1_VAL); } Something like that,,, what are vunleabrites of that code ? :) ? A.Binder
Current thread:
- Anyone have some basic security tips for PHP-programmers? Matthews, Chris (Nov 14)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 20)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 20)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 20)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- <Possible follow-ups>
- Re: Anyone have some basic security tips for PHP-programmers? DownBload (Nov 18)
- RE: Anyone have some basic security tips for PHP-programmers? Keifer, Trey (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? tim (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)