Security Q: Injections...

deezzer

My web service provider will not turn global variables off in the php.ini, and i cannot afford a dedicated server. Are there any other alternatives?

So in preventing injections, is the following measure enough?

require another page that has this array:

// FOR POSTS
$symbols_p = array("*", "#", "=", "/", "\", "-", "+", "\"");
$POST = str_replace($symbols, "", $POST);

//FOR GETS
$symbols_g = array("*", "#", "+", "\"");
$GET= str_replace($symbols, "", $GET);

Thanks

MarkR

register_globals doesn't affect the ease of injections, but having it turned off is a good idea as it will prevent certain attacks on a weak application (which uses uninitialised globals).

If on the other hand, your provider won't turn off magic_quotes, you must abandon them for another.

You cannot simply strip out these characters, as they can easily occur legitimately in data. Without a / or -, you're going to have difficulty entering dates into the application (for instance).

SQL injections should be prevented by correctly escaping strings, or using prepared statements. This is the right way.

HTML injections should be prevented by correctly escaping the strings in the output.

Other types of injections need to be handled in a specific way as necessary - for example, when sending mail, ensure that your email addresses and subject cannot contain newlines, nulls etc.

Mark

rincewind456

If you are on an Apache server then you can unset this value for your own site by placing the following in an .htaccess file in the root:

php_flag register_globals 0

MarkR wrote:
If on the other hand, your provider won't turn off magic_quotes, you must abandon them for another.

Or you could always use [man]set_magic_quotes_runtime/man whicjh would be easier than changing your service provider.

Plasma

$safe_data = addslashes("unsafe data");

Is adequate enough to escape any quote characters.

MarkR

rincewind456 wrote:
Or you could always use [man]set_magic_quotes_runtime/man whicjh would be easier than changing your service provider.

set_magic_quotes_runtime will have no effect on magic_quotes_gpc, which is enabled by default and irritating in the extreme.

Although you are quite right - you can change all of these things in Apache config / .htaccess, so that is a definite option.

Mark

MarkR

Plasma wrote:
$safe_data = addslashes("unsafe data");

Is adequate enough to escape any quote characters.

No it isn't.

addslashes() is never the right function to escape anything. It works in a naive subset of cases for MySQL, and doesn't work at all for anything else.

You should use the CORRECT escaping mechanism for the context, never addslashes()

Mark

rincewind456

Plasma wrote:
$safe_data = addslashes("unsafe data");

Is adequate enough to escape any quote characters.

No it isn't, the only safe way is by the use of [man]mysql_real_escape_string/man and the best practice way is described in the manual and involves the use of the quote_smart() function.

Also with magic_quotes_gpc enabled then you have to use [man]stripslashes/man before using it.