RE: Anyone have some basic security tips for PHP-programmers?

[<arek () chelmnet pl>]

> 1. This is esentially what magic-quotes does
> http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc
> If your server doesn't have this enabled, you can enable it with
> .htaccess for your webarea only.
OK, i knew it, right
> 2. Using ereg_replace for simple string substitution is rather
> inefficient. Use str_replace()
OK, right
> 3. eval is also inefficient, all the time you can use $_GET[$k] = $v;
YES, in this case
> 4. At least with mySQL it's not possible to pass multiple chained
> queries in one mysql_query() call. It is however possible to use f.ex --
> to comment out the rest of the query, or in more sophisticated RDBMS,
> use subqueries. $v=ereg_replace(';','',$v); is therefor inadequate, and
> probably doesn't do anything to enhance security.

Why?? if i cut all the possible SQL_INJECTION characters of my variables
from Postet/Get/Other possible sources (files, other),
so in this case, where the SQL_INJECTION therefore could came from ???
in my opinion, it is better not to enable user to type his messages in my
services with using any of that: "hello i'm Jorge" ( i mean \' )
So after including the uppper typed instruction can i be 100% sure about
SQL_INJECTION (of direct typing viariables) is not possible ?

> General filtering like that, is often inadequate, and you probably need
> to do more work. F.ex if it's a numeric value you are inserting into the
> database, check that it is_numeric();
Yes, but this takes more time of programming, so in devellopping i think,
that better is firstly to leave the performance to next stage of
proggramming (marking these places in source : "//TO_DO")
> Escape string values with mysql_escape_string() (or equivilant for other
> RDBMS, f.ex pg_escape_string())
Yes' but there is always the possibility to evaluate the exploit code putted
before to MYSQL db which was passed by any of escape function, I beware of
that, so i disable all possibilites of any evaluate strings ( ' ` ; $ \ )
not to be anywhere in the system.

> From the other topic,,,
the James Mitchell [reductor () askmiky com] has informed me about the
possibility of exploiting FUNCTION_INIT() code, he wa right,,,
( the previous code)
FUNCTION_INIT () {
if($_POST[FUNCTION_INIT]) { $_POST[FUNCTION_INIT]($ARG1,$ARG1_VAL) ;
    } else if($FUNCTION_INIT) {
     $FUNCTION_INIT($ARG1,$ARG1_VAL);
}

i can't change the way of my program works, but,,, i thought about simple
way to prevent of any possible exploiting,,,
here is my project:

the index.php after succesful login has a several URL aviable - one with
index.php?FUNCTION_INIT=USER_VIEV&ID=1,
the HREF is created with function inside - CREATE_HREF, which does that:
function CREATE_HREF($FUNCTION_INIT,$HREF) {
echo "$HREF" ;
$_SESSION_POSSIBLE[FUNCTIONS_NAMES][$_SESSION_POSSIBLE[FUNCTIONS_NAMES_ID]]=
$FUNCTION_INIT;
$_SESSION_POSSIBLE[FUNCTIONS_NAMES_ID]++ ;
}

and the modified FUNCTION_INIT function now has the following code included:
FUNCTION_INIT () {
$DIE_OR_NOT="DIE";
foreach ($_SESSION_POSSIBLE[FUNCTIONS_NAMES] as $_SESSION_POSSIBLE_TEMP) {
if($_SESSION_POSSIBLE_TEMP==$FUNCTION_INIT) $DIE_OR_NOT="NOT_DIE";
}
if($DIE_OR_NOT=="DIE") die ('Unsupported typed function') ;

if($_POST[FUNCTION_INIT]) { $_POST[FUNCTION_INIT]($ARG1,$ARG1_VAL) ;
    } else if($FUNCTION_INIT) {
     $FUNCTION_INIT($ARG1,$ARG1_VAL);
}


Something like that,,,

what are vunleabrites of that code ? :) ?

A.Binder