Is my code safe?

tomo

Hi,

I'm relatively new to PHP. I'm planning to use this code on every page on my site. It sets up variables based on whatever is posted in from the form.

I want to do this as I've developed the site on another box and it doesn't work on a new box I think because register_globals is off.

I'm aware that anyone can post anything to the php code and am worried that they will be able to post something naughty and mess me up, is this the case?:

Thanks.

<?PHP

function make_safe($value)
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}

if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
else
{
$value = addslashes( $value );
}

return $value;
}

<?PHP

foreach ($_POST as $variable_name => $variable_value)
{
${$variable_name} = make_safe($variable_value);
}

echo $name . '<br />';
echo $age . '<br />';

NogDog

mysql_real_escape_string() should only be used for values being passed to a MySQL query, so it may not make sense to simply pass all of $_POST through it. It may make sense to run them all through stripslashes() if magic_quotes_gpc is turned on, but then it would make even more sense to simply turn off magic_quotes_gpc via either the php.ini file if you have system access, or else via a .htaccess file entry in your root web directory.

Dev_M_nX

Hi there,

Im new to the replying in forums thing... so NogDog, can you back me up or correct me where necassery...tks

If you're printing any of those variables back to the screen (never trust user input)
then you'll probably want to use htmlspecialchars()...

also, as NogDog already said, use mysql_real_escape_string() only if inserting/updating a mysql database, otherwise its just time consuming...

tomo

Hi,

Thanks for the reply. I take your point about not running everything through mysql_real_escape_string. However, I guess what I'm really concerned about is the way I am building up the variables dynamically and people posting something similar to the following to my page:

first_post_input = rm *
second_pos_input = system($first_post_input);

I know this actual example is fine as it will mean the following variables will be created which are strings:

$first_post_input = 'rm *';
$second_pos_input = 'system($first_post_input);';

But I'm just wondering if there is a way they can abuse this setup,

Thanks,

Tom.

Horizon88

I take you aren't simply echoing out the variables in your production code, but they could possibly do something along the lines of:

in'.readfile('/etc/passwd').'put

Into one of your forms. I haven't closely inspected your code - most likely that wouldn't work anyways - but the best way to go would be to turn off magic quotes, use htmlspecialchars when echoing stuff back out, and be sure to escape stuff you're putting into a database.

Dev_M_nX

Once again, I could well be out of my league...

but isn't PHP a server side scripting language ?

in otherwards... you wouldn't be able to Inject into PHP unless you ran the return $_POST through eval() ?

NogDog, you seem to have around 4800 replies to your name, correct this if im wrong :o

laserlight

you wouldn't be able to Inject into PHP unless you ran the return $_POST through eval() ?

That is correct. However, note that tomo's example uses the [man]system/man function, thus there is the potential for malicious commands to be run on the system.

Dev_M_nX

I noticed 🙂 thank you

but... look closely...

first_post_input = rm *
second_pos_input = system($first_post_input);

I know this actual example is fine as it will mean the following variables will be created which are strings:

$first_post_input = 'rm *';
$second_pos_input = 'system($first_post_input);';

particularly refering to the second point...

$second_pos_input = 'system($first_post_input);';

the system in this will not be evaluated under PHP... ? as far as I know PHP does not evaluate strings ?

unless I missed something, which in that case forgive me and ignore me :p

laserlight

the system in this will not be evaluated under PHP... ? as far as I know PHP does not evaluate strings ?

Yes, that is correct. If tomo does not actually use the system() function, there is nothing to fear.

Weedpacket

It kind of depends on what that string is used for later.... presumably it's being wrapped in "system(...)" for some reason.

Although

$second_pos_input = 'system($first_post_input);';

(See how using [php] tags makes PHP look nicer?) wouldn't embed the value of $first_post_input into the value of $second_pos_input because the string is only delimited by single quotes, not double.

tomo

Thanks for your help everone,

Very useful.

NogDog

For a decent overall look at PHP security issues in a book you can read in a couple evenings, I'd recommend Essential PHP Security (which is also available as an e-book at that link).

Horizon88

Another good one is at http://php.robm.me.uk/