handling secure POST info

ajna

I am looking to run all posted data to my pages through a screen of htmlspecialchars and mysql_real_escape_string and then convert $_POST['fieldname'] to $fieldname for use in my coding.

I want to include this filter as an include at the top of every page I run.

I just seem to be running into problems.

first I run:

if(!get_magic_quotes_gpc())
{
$GET = array_map('htmlspecialchars', $GET);
$POST = array_map('htmlspecialchars', $POST);
$COOKIE = array_map('htmlspecialchars', $COOKIE);
$GET = array_map('mysql_real_escape_string', $GET);
$POST = array_map('mysql_real_escape_string', $POST);
$COOKIE = array_map('mysql_real_escape_string', $COOKIE);
}
else
{
$GET = array_map('stripslashes', $GET);
$POST = array_map('stripslashes', $POST);
$COOKIE = array_map('stripslashes', $COOKIE);

$GET = array_map('htmlspecialchars', $GET);
$POST = array_map('htmlspecialchars', $POST);
$COOKIE = array_map('htmlspecialchars', $COOKIE);

$GET = array_map('mysql_real_escape_string', $GET);
$POST = array_map('mysql_real_escape_string', $POST);
$COOKIE = array_map('mysql_real_escape_string', $COOKIE);
}

next i run:

foreach ($_POST as $key => $value) {
$$key = $value;
}
}

If I am correct, that should take something like <a href="here.com"> to

thus saving me from nasty hacking attempts.

Is this correct? When I try this cycle of input management the data going into my database has not been run through htmlspecialchars from the looks of it.

I am trying to convert a site from Register_globals_on to register_globals_off and need a simple way to cycle through and clean all POSTed data.

Help!?!?

Thanks!

ajna

<bump>

mjax

What's the problem you are experiencing? Also the last foreach loop could be replaced by a single call to the extract() function.

extract($_POST);

ajna

I am just trying to make an automatic function that will go through all the POST data and clean if in case any malign code or data has been put in.

Thanks

mjax

Still I do not understand what your question is. I understand what you are trying to achieve, but please point out the problems you would like to be helped with.

ajna

I have experienced a root level server compromise. I don'tknow if the hole was in any of my coding, but I am trying to make sure that any potential exploited data entry areas (such as POSTS) are secure against MySQL inserts and unwanted commands to the shell.

That is why I am trying to apply: htmlspecialchars and mysql_real_escape_string to any user input.

mjax

If you think your code is to blaim for the compromise, you should investigate points in your program where SQL can be injected or commands in the shell can be executed. Guard those points by applying appropriate escaping to the parameters supplied.

What you are doing now is implementing almost the same functionality as magic_quotes_gpc = On and register_globals = On would do. These kind of code constructs will almost always do more harm than good. There's a reason why both are disabled by default on PHP installations and will be obsolete when PHP 6 arrives.

ajna

You said: If you think your code is to blaim for the compromise, you should investigate points in your program where SQL can be injected or commands in the shell can be executed. Guard those points by applying appropriate escaping to the parameters supplied.

That is what I am trying to do. The code at the top was meant as just a cycling example. How do I take malign text input and change it/process it so it doesn't contain the malicious code?

How do I use htmlspecialchars and mysql_real_escape_string to this end?

mjax

For queries, take the raw data and apply mysql_real_escape_string() to it in the SQL code. Like this:

$query = "SELECT * FROM users WHERE username='".mysql_real_escape_string($_POST['username'])."' AND password='".mysql_real_escape_string($_POST['password'])."'";

Please note that I'm using single quotes around the field values in the SQL comparison. You should always enclose field values in single quotes, even numeric values, to prevent SQL injection. If you combine this with calls to mysql_real_escape_string(), your SQL code is safe.

For commands to be executed on the commandline, this is a little bit more tricky. You should investigate each case seperately and determine what are valid values to be used in the command. For instance, consider this:

exec("ls $_POST[directory]", $listing);

Here you want to execute a 'ls' command to fetch the directory listing of a directory supplied in a $POST variable. You should consider what are valid values for this directory name and validate the variable accordingly. A strict approach in this case could be:

if(preg_match('/^[a-zA-Z0-9]+$/', $_POST['directory'])) {
     exec("ls $_POST[directory]", $listing);
}

ajna

Instead of doing:
$query = "SELECT * FROM users WHERE username='".mysql_real_escape_string($POST['username'])."' AND password='".mysql_real_escape_string($POST['password'])."'";

can I apply mysql_real_escape_string like so:

$username = mysql_real_escape_string($_POST['username']);

and THEN if I need to use it in a query, use:

$query = "SELECT * FROM users WHERE username='$username'";

mjax

The point I'm trying to make is that you apply should quoting Just-In-Time, not at the start of your script, just in case you want to use some variable in some SQL.

Just suppose in your example that after performing the query, you would like to display the username onscreen. This would require you to remove any SQL escaping from the $username variable before outputting it to the screen and applying some sort of HTML escaping.

Different situations require different escaping.

ajna wrote:
Instead of doing:
$query = "SELECT * FROM users WHERE username='".mysql_real_escape_string($POST['username'])."' AND password='".mysql_real_escape_string($POST['password'])."'";

can I apply mysql_real_escape_string like so:

$username = mysql_real_escape_string($_POST['username']);

and THEN if I need to use it in a query, use:

$query = "SELECT * FROM users WHERE username='$username'";

ajna

OK. I think I get it. So the actual POINT at which malign code is 'activated' is DURING the actual SQL query...so by executing the query in the manner you mention, the injection attempt is desfused.

Am I even close?

mjax

That's exactly what I mean.

Unsafe data can never harm your server or script until you start using them in an unsafe way. So just make sure you use your external data in a safe way by escaping appropriately.