Alright. I'm sold on having to check all user input. We should make this input checking change across the board if you are up for it.
$clean = array(); //array of filtered user input + +$clean['catId'] = makeSafe( $_REQUEST['catId'] );
function admin_menu() { - if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId']; - else $catId=""; + $clean['catId'] = makeSafe( $_REQUEST['catId'] ); + if ( empty($clean['catId']) ) + { + $clean['catId']=""; + }
Is there a reason why we don't do the if(empty()) check inside of makeSafe()?
Chris
On Thursday 08 June 2006 1:40 pm, EA Durbin wrote:
I always use the method of filtering user input as described at the php security consortium. It makes it easier to track tainted user input vs filtered input. If all filtered variables are put in an array it makes it easier to ensure you're using the non tainted variable.
http://phpsec.org/projects/guide/1.html#1.4
Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL filtering.
From: Jonathan Ernst jonathan@ernstfamily.ch To: wine-devel@winehq.com Subject: Re: appdb security Date: Thu, 08 Jun 2006 18:12:20 +0200
Le jeudi 08 juin 2006 أ 11:42 -0400, Chris Morgan a أ�crit :
Can you come up with a non-destructive working example for the appdb website(appdb.winehq.org)? ;-)
I ask because I thought we went through this some time ago but I agree
that
what you say looks like an open issue.
Chris
Lately I used the following snippet in all my webapps to secure them against sql injection :
http://php.net/mysql_real_escape_string under "Best practice".
<?php function smart_quote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Protect it if it's not an integer if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } // Secure query $sQuery = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", smart_quote($_POST['username']), smart_quote($_POST['password'])); mysql_query($query); ?>
I think it is better than what we have now in AppDB (didn't check it though). If nobody looks at it, I'll check the code after my master thesis (in one month).
Jonathan
<< signature.asc >>