Security Related Question

hadoob024

I just came across this in a security journal and wasn't sure what to make of it:

Set the "variables_order" variable of the PHP configuration. The default setting, "EGPCS" means that the environment, the GET parameters, the POST parameters, the cookies, and the server information are all turned into global variables when a script executes. Allowing GET requests, POST requests, and cookies from the browser to do so is dangerous. Instead, consider setting "variables_order" to "ES".

I couldn't track down the author of this article, so I'm asking everone here. Can anyone explain why this recommendation was made? Is it important and what does it mean? Thanks!

drew010

[man]register_globals[/man] being off (which is default for some time now) takes care of this problem.

a long time ago in php, say i have a variable in my script called $isAdmin. The person could easily change the value of this by calling myscript.php?isAdmin=1. With no register_globals, the get variable, is made global (it is called $isAdmin) inside my program. the problem with that is if i dont initialize the variable in some cases, they may be able to make themselves admin by doing that.

with register_globals on, myscript.php?isAdmin=1 would not make $isAdmin, but it would make $GET['isAdmin']. Similarly with post, you have $POST['isAdmin']. This helps secure applications because if I do use a variable called $isAdmin in my script, and they try putting that in the url, I now have two variables $isAdmin and $GET['isAdmin'] which are two different things, so
if ($isAdmin == 1) { //show admin interface
would not work if they passed it in the url via get, because $GET['isAdmin'] is a separate variable from $isAdmin.

hadoob024

Cool. So I would want to have register_globals set to 'off' for both the local and master values, right? I've also been reading that I should create short variable names for form variables that are being passed. Like for a form element called 'isAdmin', I would do the following:

$isAdmin = $_POST['isAdmin'];

Is this something that everyone does?

drew010

yeah, programming with register globals off is good practice because it will make your code portable and more secure. also, remember if you are dealing with outside values, such as post or get and even cookie stuff, be sure to sanitize it with functions like [man]addslashes[/man] and if it goes in the database [man]mysql_real_escape_string[/man]

using short variables is common, as long as you remember where they came from.

hadoob024

Thanks. As for the mysql_real_escape_string() function, I'm already planning on using the following functions to check and sanitize my user inputted variables: isset(), is_string(), trim(), strip_tags(), htmlspecialchars(), and ereg().

Are those enough, or should I still use mysql_real_escape_string()? Also, do I need to specifically strip out characters like: ;, &, |, <, and >, or will strip_tags() do that for me?

drew010

the thing that mysql_real_escape_string does is escape any characters that could cause errors on inserts (such as ' " \ \0 etc) which not only helps prevent sql injections, but also keeps you from having errors when you go to add data.

the characters you mention above shouldnt have any problem going into a database. strip tags wont remove those but htmlspecialchars will convert the & < > to their html counterparts.

SamC

I always like to clean very aggressively all user input, just to be on the safe side. A lot of the time data from a user is alphanumeric and so I tend to strip out everything except a-z and 0-9 using a very simple function I wrote that uses a regular expression.

It might be a bit OTT considering that I'll use strip_tags() and mysql_real_escape_string() as well, but hey, it's better to be safe that sorry! 🙂

hadoob024

Yeah. I think all my fields except one are alphanumeric. That last one is supposed to be a description field (for a real estate listing). I guess the only non-alphanumeric characters that I would allow would be: "(", ")", and "."

I can't really think of any other characters that would be needed for this description field. So I guess a combination of the functions that I mentioned before and the mysql_real_escape_string() function should be enough to sanitize the user input. Thanks!

hadoob024

Here's a quick follow-up question. Does mysql_real_escape_string() and addslashes() accomplish the same thing? Should I only be using one or the other?

drew010

they are similar, addslashes escapes ', ", \ and null mysql_real_escape_string takes into consideration your charset of the db, and also escapes the same things as addslashes plus \n \r and \x1a

hadoob024

Hmmm, so I guess using both addslashes() and mysql_real_escape_string() would be redundant then? Actually, more than redundant, it would be wrong to use both because it would add an extra set of slashes, right?

I guess I'll just stick with mysql_real_escape_string() as it seems to escape a larger number of potentially problematic characters.

drew010

yeah if you are going to store the data in a mysql database mysql_real_escape_string is the way to go.

hadoob024

Cool. Yeah, I'm basically making a real estate listing site geared toward a specific market. I have a form for gathering info for a listing (person's name, location of listing, asking price, description, etc.) which I need to sanitize and then add to a MySQL db. Then on the flip side, I have another form used to search the real estate listings and then display the results.

Yeah, I had never even heard of the mysql_real_escape_string() function. I always keep reading about addslashes() and stripslashes(). Thanks for the tip.