|
Posted by "Richard Lynch" on 11/14/05 22:38
On Fri, November 11, 2005 5:18 pm, Chris Shiflett wrote:
> Richard Lynch wrote:
>> Suppose PHP had a superglobal $_CLEAN which was an empty array.
>
> This seems like a decent idea, for two reasons:
>
> 1. Developers don't have to remember to initialize their array, which
> offers some protection. PHP can do this for them.
>
> 2. Variable scope issues are not a concern. Currently, using this
> technique within functions and classes is clumsy at best.
>
> However, most security issues like XSS and SQL injection aren't really
> input filtering problems. Often, input filtering can effectively
> eliminate these vulnerabilities (and there's no excuse to not be
> filtering input), but escaping addresses the root cause of the
> problem.
It's certainly not a magic bullet.
But I think it would help a lot of newbies get set on the right path
from the get-go, of thinking about security from "Hello World" instead
of trying to graft Security onto their 30,000 line forum after it gets
nailed by bad guys.
The residual effects are, hopefully, bigger than the direct benefit.
If a good way to escape OUTPUT was also incorporated, that would be
even better.
But just getting folks THINKING about this kind of stuff from Day One
of their PHP scripting would make a big difference.
Perhaps one should use:
$_ICLEAN
$_OCLEAN
for Input and Output.
$kosher = '/[^A-Za-z0-9\\',\\.-]/';
$_ICLEAN['first_name'] = preg_replace($kosher, '', $_GET['first_name'];
/* more code */
$_OCLEAN['first_name'] = htmlentities($_ICLEAN['first_name']);
echo "<p>$_OCLEAN[first_name] is way smarter than me.</p>\n";
If you had anything other than $_OCLEAN in an echo and friends, then
you would know you were screwing up.
I really think it's important for the PHP community to push towards
safer practices at the most basic levels.
Examples in the manual, textbooks, etc.
If everybody knew $_ICLEAN and $_OCLEAN meant data cleaned from input
or data cleaned for output, then one could simply use them in examples
instead of $_GET or $data.
I'm not sure we can (or even should) go as far as Perl's tainted mode,
but I think setting the right example and having an infrastructure to
"do it right" would be a Good Thing.
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|