It will be a large undertaking, but I'll help change this across the board. I'm going out of town for the next 2 days and won't be near my computer, but I can start on it when I get back.
From: Chris Morgan cmorgan@alum.wpi.edu To: wine-devel@winehq.org, EA Durbin ead1234@hotmail.com Subject: Re: appdb security Date: Thu, 8 Jun 2006 16:40:55 -0400
Alright. I'm sold on having to check all user input. We should make this input checking change across the board if you are up for it.
$clean = array(); //array of filtered user input
+$clean['catId'] = makeSafe( $_REQUEST['catId'] );
function admin_menu() {
- if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId'];
- else $catId="";
- $clean['catId'] = makeSafe( $_REQUEST['catId'] );
- if ( empty($clean['catId']) )
- {
$clean['catId']="";- }
Is there a reason why we don't do the if(empty()) check inside of makeSafe()?
Chris
On Thursday 08 June 2006 1:40 pm, EA Durbin wrote:
I always use the method of filtering user input as described at the php security consortium. It makes it easier to track tainted user input vs filtered input. If all filtered variables are put in an array it makes
it
easier to ensure you're using the non tainted variable.
http://phpsec.org/projects/guide/1.html#1.4
Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL filtering.
From: Jonathan Ernst jonathan@ernstfamily.ch To: wine-devel@winehq.com Subject: Re: appdb security Date: Thu, 08 Jun 2006 18:12:20 +0200
Le jeudi 08 juin 2006 أ 11:42 -0400, Chris Morgan a أᅵcrit :
Can you come up with a non-destructive working example for the appdb website(appdb.winehq.org)? ;-)
I ask because I thought we went through this some time ago but I
agree
that
what you say looks like an open issue.
Chris
Lately I used the following snippet in all my webapps to secure them against sql injection :
http://php.net/mysql_real_escape_string under "Best practice".
<?php function smart_quote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Protect it if it's not an integer if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } // Secure query $sQuery = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", smart_quote($_POST['username']), smart_quote($_POST['password'])); mysql_query($query); ?>
I think it is better than what we have now in AppDB (didn't check it though). If nobody looks at it, I'll check the code after my master thesis (in one month).
Jonathan
<< signature.asc >>