php security..

Sco_________

After looking at mod_security for apache I thought of an idea.. I searched forever and couldn't find what I was looking for so I used an article on this website to build this:

If(eregi("(\+|%[0-9]{2,4})+(select|left(\+|%[0-9]{2,4})join|union)+(\+|%[0-9]{2,4})|(http|ftp|https)+(://|%3A%2F%2F)",$_SERVER['QUERY_STRING'])) {
	exit("I wasn't expecting that. Please go back.");
}

I'm not really sure if it would be usefull to anyone here but I don't think it can hurt anything... basically it checks the $_SERVER['QUERY_STRING'] for basic mysql injection attacks and offsite file inclusions.. it took me forever to write this thing because regex is still a little confusing for me..

I tested it loads and it seems to work for the most part. Unless you use some of thoes words with the spaces in your url's..

Any comments or ways to do this better?

stutterbug

That's a very good question. Tainting is a serious problem that I wish was handled better in PHP. Perl is fantastic with it and it forces people to think about security at all levels of ability. A LOT of people host their PHP+database applications on shared servers, and it would really burn me if my site were to slow down (or go down) because of an SQL insertion attack on a different virtual host on the same machine.

I treat every database query separately and try to think of ways a malicious user could insert code, rather than building massive regular expressions to catch offensive constuctions. It's not so much that I don't think it is a good idea; it is just that I don't trust myself to write faultless regular expressions and I certainly don't trust attackers to use only the attacks I can think of.

It is not a bad idea to dump queries to a text file and periodically search them for attacks (I always do this, myself). If an attack does affect your data, you will at least have a record of how the attack occurred.

Can anyone correct me? Generally speaking, I think passing numeric data is where the primary threat is, since all string data is escaped. It is pretty hard to do an insertion attack on...

SELECT * FROM users WHERE username = '$getvar'

since all inappropriate code, "stutterbug' or username!='no_one", will turn into...

SELECT * FROM users WHERE username = 'stutterbug\\' or username!=\\'no_one'

on the other hand, it is all too easy to attack...

SELECT * FROM users WHERE userid = $getvar

...with "1 or userid != null" like so...

SELECT * FROM users WHERE userid = 1 or userid != null

Also, I like to imagine that eventually, someone, somewhere is going to want to input a valid SQL statement into an application I write (well, rather like I am doing in this post right now), so I don't want to cripple a system by preventing non-offensive string data.

At the moment, I stick to three functions to perform all regex. One will return only the first valid number it finds in a string, stripping out all alpha charcters. That blesses the numeric input. The second will return only the first alphanumeric word, stripping away all the operators (including quotes) that an attacker will need for a string attack. And finally, I use a regex to replace other characters with html entities. That will also protect against an HTML page getting ruined by a user sending a closing textarea tag.

Jocke

This is a good place to start when it comes to sql injection attacks: Sql injection

Prevent sql injection on mysql:
mysql_real_escape_string()

At the moment, I stick to three functions to perform all regex. One will return only the first valid number it finds in a string, stripping out all alpha charcters. That blesses the numeric input.

I usually check if a string is numeric by using is_numeric(). If the string contains any other characters than numeric, it will return false, and I don't even bother passing the string to the db. After all, when the input clearly isn't what you expect, why use it?

Sco_________

I wasen't expecting this to be the safe guard against all attacks, just so many times I see things like this happening because there are alot of people that do not think about security when coding and it's is a little bit of security.

I too check all variables and if there are any misc I just addslashes(str);

I was really practising my regex when building it and thought I might get others thoughts on it.

But writing the querys to a text file, very good idea. Great way to monitor whats going on.