jeremy.russell

Hello list,

I was just sitting here thinking how to secure my php code and
thought I would run it by the pros. I don't know what the standard
practice is to secure against sql injection and malformed information
passed from forms. This probably has been done several times I just
would like to know if I should do it this way or if there is a better
way.

What I though to do is create a function that simply went through a
variable and removed the quotes. Something that could be used when
pulling the variables from the form right of the bat. i.e.

$form_var = secure($_POST['var'];

after that just do everything else as normal.

So I just really looking for advice on securing my web app.

BTW: any body heard of or use Cisco's VMPS?

Jeremy Russell
Network Administrator, CNI
580.235.2377

shiflett

Watch that closing paren. :-)

I am aware of a project that I believe attempts to do what you are wanting:

http://linux.duke.edu/projects/mini/htmlfilter/

Basically, it tries to help you out by eliminating some common attacks. While
this is certainly better than nothing, it shouldn't be used as an excuse to not
filter your data. This filter uses a blacklist approach, where bad stuff is
filtered. You should add another layer of data filtering that follows a
whitelist approach, where you only allow good stuff.

Doing otherwise makes your application as secure as a Windows workstation with
a virus scanner - you might be protected against known attacks, but as soon as
someone comes up with something new, your defenses are irrelevant.

Hope that helps.

Chris

=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp

list-php-1

: I was just sitting here thinking how to secure my php code and
: thought I would run it by the pros. I don't know what the standard
: practice is to secure against sql injection and malformed information
: passed from forms. This probably has been done several times I just
: would like to know if I should do it this way or if there is a better
: way.

If you're using MySQL, you can use mysql_real_escape_string(). If
you're using another database, hopefully there is a similar function.

cparker

Eugene Lee <mailto:list-php-1@fsck.net>
on Friday, October 17, 2003 8:20 AM said:


Doesn't MySQL automatically protect against attacks like SQL injection?
Or maybe it's that it automatically applies addslashes()? I can't
remember exactly.


c.


--
Don't like reformatting your Outlook replies? Now there's relief!
http://home.in.tum.de/~jain/software/outlook-quotefix/

pmorgan

take a look at this
http://phpinsider.com/php/code/SafeSQL/

pete

shiflett

Nope and nope.

What you might be thinking of is that mysql_query() only allows a single query
to be executed. This helps, but it doesn't prevent everything. It only prevents
SQL injection attacks that attempt to terminate the current query and execute
another one.

Chris

=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp

cparker

Mike Migurski <mailto:mike@saturn5.com>
on Friday, October 17, 2003 9:15 AM said:


Whoops! Yeah, that's what I'm talking about.


Chris.

--
Don't like reformatting your Outlook replies? Now there's relief!
http://home.in.tum.de/~jain/software/outlook-quotefix/

mike

No - I don't think any database could automatically protect against SQL
injection, since the basis of that attack is the malformation of queries
before they even hit the DB. There is a magic quotes feature, which adds
slashes to request variable. You may be thinking of that:

<http://php.net/manual/en/ref.info.php#ini.magic-quotes-gpc>

---------------------------------------------------------------------
michal migurski- contact info and pgp key:
sf/ca http://mike.teczno.com/contact.html