Jump to content
MakeWebGames

Security Question


newttster

Recommended Posts

I'm playing around with a project and basically I am trying (for the hell of it) to see if there is a way to cleanup user input.

For arguments sake ... a username consisting of just alpha characters. Or better yet ... a username that consists of alpha characters, numbers and the underscore. Then once it goes through the clean function it gets sent to the db and then returned via echo by a variable ... ie

echo"{$name}";

. I'm thinking (maybe not very well) that doing it this way makes it easier to print/echo to the screen a lot easier.

 

edit: Thanks for your suggestion, sniko.

Link to comment
Share on other sites

Too much... all you need to secure non numeric is mysql_real_escape_string(htmlentities()) <- How is one going to break through that??

Just my opinion when it comes to securing alpha fields. And another opinion I have is that when you secure a script pretty much all that needs to be secured is what goes into the database, you really do not need to use security in echo statements... How is one going to hack echo ''.$ir['username'].''; ?? Or say a message that already was secured while going into the database?

Edited by lucky3809
Link to comment
Share on other sites

Right ... I tried various options as per your suggestions. However, I do not fully understand how to use the filters because of the optional flags, so I went with this instead. I am using mysqli_real_escape_string(); because the manual is saying that mysql_real_escape_string() is depreciated and will be removed in the future.

As for the issue with ctype_alnum(), as you said, CavellA it would work great with just numbers and letters. However, for names, most people want to have the option of using spaces or underscores. In that case I would have to use preg_match.

My question now is, if I use the function below and a user's input were:

Hello, my name is James O'Malley. I was born on October 10, 1960. My mother said and I quote "' You were born on the same date as your father & uncle were. Your grandfather opened an account for you and deposited $1,000.00 in it. Because the account has overdraft protection on it, I withdrew $1,100.00 from it leaving a balance of -$100.00.'"

Would it display it exactly as written without inserting any special charcters like &34 (or whatever)?

 

// Sanitize input
function clean($str) {
return (htmlspecialchars(strip_tags(trim($str), ENT_QUOTES, "UFT-8")));
}

$mess = clean($_POST['mess']);
$mess = mysqli_real_escape_string($mess);
echo $mess;

 

My other question is, with:

$_GET['ID'] = (isset($_GET['ID']) && !empty($_GET['ID']) && is_numeric($_GET['ID'])) ? abs(@intval($_GET['ID'])) : ''; 

 

Is there a way that the user can manipulate this? For example if they were to input;

+100

-100

"100"

'100'

Would it throw an error or would it see the input as strictly 100?

Link to comment
Share on other sites

As for number validation, here is a function I have used for some time. The number will then be zero if invalid, you check if its not zero before using the variable. It also removes , from a value, noticed when I logged the invalid data entered, that the most common was to copy paste number formated data, like the players money into the fields.

 

function validNumber($int = 0){
//If you want to support people pasting in formated numbers.
//If these two lines are removed, decimal numbers will be invalid (return 0)
$int = str_replace('.','',$int);
$int = str_replace(',','',$int);
if(empty($int) || $int < 1) return 0;

if  (preg_match('[^0-9]',$int)){
	//Invalid number entered
	return 0;
} else {
	return $int;
}
}

$_GET['id'] = validNumber($_GET['ID']);

 

This only checks if the data only contains 0123456789 and is not a negative number. It does in no way ensure that the value is the correct value, the user might have entered the wrong number.

Edited by Someone
Link to comment
Share on other sites

My other question is, with:

$_GET['ID'] = (isset($_GET['ID']) && !empty($_GET['ID']) && is_numeric($_GET['ID'])) ? abs(@intval($_GET['ID'])) : ''; 

Is there a way that the user can manipulate this? For example if they were to input;

+100

-100

"100"

'100'

Would it throw an error or would it see the input as strictly 100?

100.

My question: Why are you over thinking this, also what's the end goal?

If you're looking for more information about the combinations you're using, then look at each function separately.

Then piece together what happens when you combine, from what you know about them individually.

(on a different note: The option params, in your clean function are in strip_tags() rather than htmlspecialchars().)

Edited by Djkanna
Link to comment
Share on other sites

My question: Why are you over thinking this, also what's the end goal?

I guess because it is a fault of mine. I over think everything, no matter what it is. ;)

The end goal ... well, someone on here (don't remember who and it doesn't matter) once said that you can't create a function to stop sql injection ... or most sql injection. I'm trying to see if it can be done. I thought it would be interesting to at least try anyway.

 

edit: This is in relation to working with McCodes only though.

edit 2:

(on a different note: The option params, in your clean function are in strip_tags() rather than htmlspecialchars().)

I don't understand what you mean by that. I'm still learning so there are things that I don't get. Should they be in a different order?

Edited by newttster
Link to comment
Share on other sites

The person which told you that you cannot block SQL injection should stop talking ;)

You can block it, and depending what you do, which language, which lib there is different options. mysql_real_escape or equivalent will ensure to pass a correctly escaped string within the SQL statement. If you do it right you will not have SQL injections from that entry point. Personally I would work with MySQLi (with PHP) and use the prepared statements. But that's personal taste ;)

BTW there is a very short way to make a number or string a number in any case (in PHP):

 

<?php
$mystring="12.34";
$mynumber=$mystring+0;

 

Now to make it an integer?

<?php
$mystring="12.34";
$mynumber=int($mystring);

 

No need to do fancy things in my opinion. Over complex == more chance to have bugs, and less readable code. But again, it's a personal opinion.

Link to comment
Share on other sites

Personally I would work with MySQLi (with PHP) and use the prepared statements. But that's personal taste

Not easy to do when working with McCodes.

I like to have the validation check if the number is negative right away, so I do not have to check that each time when using the variable.

Link to comment
Share on other sites

I guess because it is a fault of mine. I over think everything, no matter what it is. ;)

The end goal ... well, someone on here (don't remember who and it doesn't matter) once said that you can't create a function to stop sql injection ... or most sql injection. I'm trying to see if it can be done. I thought it would be interesting to at least try anyway.

edit: This is in relation to working with McCodes only though.

edit 2:

I don't understand what you mean by that. I'm still learning so there are things that I don't get. Should they be in a different order?

The relation doesn't matter.

From what I remember from that period, the context wasn't really you couldn't block SQL injection with just one function, it was more so, you cannot secure your site with one flawed function.

You surely can use custom made functions to help prevent certain things.

The problem with these functions that float around the forums, is one of two things:

  • The function is flawed.
  • Where the function is being used, is problematic.

As for your last query:

Sorry if wasn't all that clear.

The parameters that should be passed to htmlspecialchars, are currently being passed to the strip_tags function instead.

return (htmlspecialchars(strip_tags(trim($str)), ENT_QUOTES, "UFT-8"));

Notice the position difference to that of your clean function in the post prior to my first.

Link to comment
Share on other sites

As for your last query:

Sorry if wasn't all that clear.

The parameters that should be passed to htmlspecialchars, are currently being passed to the strip_tags function instead.

return (htmlspecialchars(strip_tags(trim($str)), ENT_QUOTES, "UFT-8"));

Notice the position difference to that of your clean function in the post prior to my first.

Now you have lost me all together because what you have above is the same that I have in my function.

Link to comment
Share on other sites

// Sanitize input
function clean($str) { return (htmlspecialchars(strip_tags(trim($str), ENT_QUOTES, "UFT-8")));
} $mess = clean($_POST['mess']);$mess = mysqli_real_escape_string($mess);
echo $mess;

Take yours;

return (htmlspecialchars(strip_tags(trim($str), ENT_QUOTES, "UFT-8")));

Take mine:

return (htmlspecialchars(strip_tags(trim($str)), ENT_QUOTES, "UFT-8"));

Pay special attention to the position of things. :)

htmlspecialchars ( strip_tags ( trim ( $str ) ), ENT_QUOTES, "UTF-8" ) );

Hopefully the above makes it a little more clear.

Link to comment
Share on other sites

Sorry about that Djkanna ... I was looking at the placement of the words not the brackets. Now I understand what you were trying to get across to me. Thank you.

In all fairness, I could have been more clear.

However it's done now, that point is made. :)

Edited by Djkanna
Clearer point.
Link to comment
Share on other sites

No, this is not entirely secure. It's a reason why it's called the "real" escape function, it's because the older one was insecure. It didn't take character set under consideration. My point is protecting against SQL injection shouldn't be done using some sort of a blacklist, escaping special characters. A reliable and SECURE way to prevent sql injections is to use prepared statements. Yes, mysql_real_escape_string() has been vulnerable to SQL-injection and still is. Not sure about mysqli function, but I WOULD never rely on a blacklist (hence i.e why htmlpurifier uses a whitelist to allow HTML tags rather than disallowing). Here's more about the topic: http://php.net/manual/en/pdo.prepared-statements.php, Note: You can still use prepared statements with mysqli, don't worry. Just google it.

Link to comment
Share on other sites

Yes, mysql_real_escape_string() has been vulnerable to SQL-injection and still is..

If you are using it the wrong way, yes, it is vulnerable. However if your using it the correct way it's not.

mres is for alpha values, not numeric, some people think using it on numeric will solve their security problem, it does not work on numeric values.

mres used the way the thread starter has stated it works, and is secured. But still over the top adding more security then what is really needed.

In my opinion people put security way above what it is, and make it complicated, when it's really not that complicated, but simple.

Link to comment
Share on other sites

@ Aventro ... while I appreciate that working with prepared statements (from what I have read) would absolutely be the way to go. Having said that ... it would be the way to go if you are starting with a brand new project. It would be damn difficult to do so with McCodes.

 

But still over the top adding more security then what is really needed.

It's the same kind of principle as having a condom and not needing as opposed to not having one and needing it. I'd rather be safe than sorry.

 

In my opinion people put security way above what it is, and make it complicated, when it's really not that complicated, but simple.

I mean no disrespect whatsoever ... but if it were that simple ... why is it so hard to do and so many people have a problem with it.

Link to comment
Share on other sites

I'm pretty sure that some of you may think that I am beating a dead horse here, but I am really trying to get a handle on this stuff.

In regards to mysqli_real_escape_string() it requires two parameter. The example they use in the manual is $city = mysqli_real_escape_string($link, $city);

They have

$link = mysqli_connect("localhost", "my_user", "my_password", "world");

. At the bottom of the example for the procedural style they also have

 mysqli_close($link);

 

My question is this ... could I set up the $link in the config file using the same info that is used for the $_CONFIG array?

Because the config.php file is included in the globals.php file it would be recognized through out any files that call the globals.php file, would it not?

As to

 mysqli_close($link);

would I then place it just before the

$h->endpage();

or would I place it just before the closing php?

I am really confused about this. I know that I could just use mysql_real_escape_string() but the manual says that it will eventually be removed from use so I would just as soon know how to do this now rather than try and do it later when it is actually removed.

Any help would be really appreciated. Thank you.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...