You are here: RE: [PHP] security/sql issues with php « PHP « IT news, forums, messages
RE: [PHP] security/sql issues with php

Posted by "bruce" on 09/21/05 20:20

got it!!

if i could find docs/methods/etc.. i'd gladly share...

two questions:

1) css scripting. how can it be prevented?? what are some of the methods
that you guys use?

2) what are some of the actual code methods used in real sites to deal with
URL/Query (GET/POST) parsing?

what do you guys say about putting together a list of what should be done
for the different aspects of a web site/app...??

as an example, i'd really like to know what should be done when you have a
POST/GET item. should it always be checked? how should it be checked? what's
the best method? etc.... i would hope that it wouldn't be hard for
gurus/experts to agree on these kinds of issues...


-bruce


-----Original Message-----
From: tg-php@gryffyndevelopment.com
[mailto:tg-php@gryffyndevelopment.com]
Sent: Wednesday, September 21, 2005 8:29 AM
To: bedouglas@earthlink.net
Subject: RE: [PHP] security/sql issues with php


no proble, Bruce. I know you're looking for something more, but if you
ended up building your own, thought I'd toss my 2cents worth of code into
the mix. hah

And yeah, I'm suprised, but not suprised, at the lack of a decent solution.
I have some friends who work in high computer security and from what I've
seen of that end of the business, it seems that people are more interested
in selling GIANT systems with GIANT (frequently hands-on by contracted
techs) maintenance aggreements or companies want to do the consulting thing
so they can bill hourly or something.

The problem with security products is that they need fairly constant
maintenance. Nobody wants to make a good solid package/etc that covers 99%
of the issues and then have someone bitch at them when it doesn't cover
something brand new, or when some advanced technique is used..etc.

To me it sees a combination of lack of desire to maintain something robust
AND free as well as the greed factor of being able to milk support contracts
out of people for doing hands-on security work.

I'm still suprised at the lack of good packages that would cover the
mid-level security needs. At least when I was looking, I didn't find
anything that I felt was stable enough to use. I prefer simple and tight
to massive and possibly flawed. I'll keep building mine as I learn new
things and develop new requirements, but for now it does exactly what it
needs to do.

Best of luck! And if you find something noteworthy, please post it to the
list.

Thanks!

-TG

= = = Original message = = =

trevor...

appreciate the reply!!

we've seen alot of homegrown solutions!! but we're hoping that we can find
something that's robust/tested/used in the industry/etc...

the issue of security is widespread, but you'd be surprised (maybe not) at
how poorly it appears to be implemented in various apps!!!

-bruce



-----Original Message-----
From: tg-php@gryffyndevelopment.com
[mailto:tg-php@gryffyndevelopment.com]
Sent: Wednesday, September 21, 2005 7:54 AM
To: bedouglas@earthlink.net
Subject: Re: [PHP] security/sql issues with php


I know you're looking for something bigger and more complete, but in the
meantime maybe this will give you something of a foundation to build on to
make your own sanitizer. I wrote this function that I include() into my
code to try to make data somewhat safer before using it in a SQL statement.
The reason I used so many 'case' statements is so I don't have to change my
main PHP code when I figure out a better way (or just new criteria) for
fixing/cleansing one type of data. For instance, you'll see "money" and
"percent" and "float" do the same cleaning right now. Maybe later I'll
decide I want to handle money different, all I need to do is change this
function and not all my code. You get the idea. This code is specific to
MySQL but you can substitute any DB's "escape" function at the end to
customize it.

Anyway, something to play with at least, since I didn't find any good
classes, packages, etc when I was looking either. Let me know if you have
any questions:

-TG

<?php
~/**
~*~DBSanitizeData() prepares data for inserting/updating into or selecting
from
~* MySQL by making sure that string data is properly escaped so as not to
allow
~* 'SQL injection' type security issues from happening. No direct $_POST or
$_GET data
~* should ever be used in a SQL string.
~*
~* Returns sanitized copy of data sent to it.
~*
~* Example: $result = mysql_query('INSERT INTO TableName (SomeColumn) VALUES
(' . DBSanitizeData($_POST['somevar'], datatype) . ')');
~*
~* <pre>
~* Modification Log:
~* --------------------------------------------------
~* Created: ~~Trevor Gryffyn - 03/28/2005
~* Modified: Trevor Gryffyn - 08/25/2005
~* Updated comments, changed mysql_escape_string() to
mysql_real_escape_string()
~*
~* </pre>
~*
~* @author Trevor Gryffyn <tgryffyn@gotoami.com>
~* @category Database Functions
~*
~*/
function DBSanitizeData($dbdata, $datatype = "alpha")
switch (strtolower($datatype))
case "binary":
case "truefalse":
$trues = array("YES", "Y", "1", "ON", "TRUE", "T");
$falses = array("NO", "N", "0", "OFF", "FALSE", "F");
if (in_array(trim(strtoupper($dbdata)), $trues))
$dbdata = "Y";
else
$dbdata = "N";

break;

case "phone":
case "numeric":
case "number":
case "zip":
case "zipcode":
case "ssn":
$dbdata = preg_replace ('/[^\d]+/s', '', $dbdata);
break;

case "float":
case "money":
case "percent":
// TODO: Should this be handled with floatval() or something else?
// Yes.. it probably should. Maybe this is better.
if (strstr($dbdata, ".") AND trim($dbdata) <> "")
#$dbdata = (preg_replace ('/[^\d]+/s', '', $dbdata) / 100) .
".00";
$dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata) / 100);
else
#$dbdata = preg_replace ('/[^\d]+/s', '', $dbdata) . ".00";
$dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata));

break;

case "name":
case "address":
case "city":
$dbdata = ucwords($dbdata);
break;

case "state":
$dbdata = strtoupper($dbdata);
break;

case "date":
$dbdata = date("Y-m-d", strtotime($dbdata));
if ($dbdata == "1969-12-31") $dbdata = "";
break;

case "alpha":
case "url":
default:
// Nothing special, just jump down to the trim/escape
break;

return trim(mysql_real_escape_string($dbdata));

?>

= = = Original message = = =

hi..

i've been searching/researching the areas of security regarding url input,
form input, as well as database input (mysql). while there are plenty of
articles that touch on the topic, i'm looking for a given site/package/lib
(open source) that is pretty much the standard that i could use for my
website/app...

basically, i don't want to recreate the wheel, if there is already a
serious/good solution to this area. given the importance of this area, i'm
assuming that there is a lib/package that already exists to handle these
issues.

i've looked through google, as well as various open source web apps to see
how some of this is handled, and it appears the level of sophistication for
handling this is all over the place!!

i want to stress, i'm looking for the package/lib that's strong enough/valid
enough to be used in a serious commercial app.. a lot of what i've
seen/suggestions on various sites arent' complete/strong..

(this stuff has got to be around/available, i mean google/ebay/1000's of
sites are up/running without having issues!!!)



URL Issues/Thoughts...
-Should Handle basic regex filtering of POST/GET/REQUEST Querystring data
-Filtering of basic mysql commands/functions/characters
(Insert/Drop/etc...)

Query Array Thoughts/Issues
-Should filter the arrays (GET/POST/REQUEST)
-Filtering of basic mysql commands/functions/characters
(Insert/Drop/etc...)
-Check for datatype
-Set Datatype
-Log all errors/issues

Mysql DB Issues
-Parsing/inspection of all data prior to insertion in sql_query_string
-Use of 'datatype' arg in the query to insure that the correct datatype val
is used in the sql_string
-Regex comparison of the vals prior to use in the sql_string
-Proper usage of slashes/quotations around variables/sql_strings
-Logging of all db interactions

any other things that should be handled

(yeah.. i know, i haven't even gotten into the issue of having separate
db/app servers, and security of the overall hardware/app environment...)

-thanks

-bruce
bedouglas@earthlink.net

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.


___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация