Printable View
some people say some functions, others then say don't use them....etc
i just want a straight answer - what's the best way to validate form data with php to prevent malicious injections?
before you say "it depends what kind of data ur expecting" - i'll suggest that i'm expecting anything and everything and want to accept as much as possible whilst being secure as possible.
please may there be some1 here knows php properly enough to help :o
So, text, binary data, MySQL queries, shell commands, HTTP requests, emails...? There are just too many types of data out there (all of which need to be handled differently) to give a straightforward cure-for-everything.Quote:
before you say "it depends what kind of data ur expecting" - i'll suggest that i'm expecting anything and everything and want to accept as much as possible whilst being secure as possible.
text, which could include all of the rest. for example, so clients could put code for any of the rest on a web page without inwanted processing.
any offers for a simple answer? :mad:
No, it couldn't.Quote:
text, which could include all of the rest.
To convert text so it is safe for embedding in HTML, you should use the htmlentities() function.Quote:
for example, so clients could put code for any of the rest on a web page without inwanted processing.
There is no simple answer, as I stated above.Quote:
any offers for a simple answer? :mad:
well thanks for the htmlentities part of the response at least. it confirms what i've heard elsewhere.
as for the "there's no simple answer" ... that's what everyone says until they master their stuff.
How does one make an object safe for children? I want a simple answer that works for every possible object.I really can't be bothered to answer this. I should note for your reference, however, that if you succeed in turning the thread into an argument as you appear to be attempting to do, the chance of your receiving an answer of any kind will decrease drastically.Quote:
as for the "there's no simple answer" ... that's what everyone says until they master their stuff.
I wouldn't, because it doesn't. However, it does depend on what you are going to do with the data. Input from the client is nothing more than a stream of bytes (in an abstract sense); you can't be vulnerable to it until you start treating that data in a certain way.Quote:
Originally Posted by Birmingham
Do you really expect anyone to list every possible thing you could do with user input on the server, and vulnerabilities that might arise in each case?Quote:
i'll suggest that i'm expecting anything and everything and want to accept as much as possible whilst being secure as possible.
Mike
no, i don't expect that at all, but i do expect that there is one or a few php functions which are the safest and most recommended for data validation irrespective of what type of data is being validated. otherwise, php developers haven't been doing much useful development :)
That is not the languages job. That is YOUR job as the developer.Quote:
Originally Posted by Birmingham
As far as I know, there's no readMyMindAndMakeTheDataSafe() function in any current language.
well in php the just call exit();
which php function(s) is/are best for preventing PHP Injection. is my question clearer now? If so, please help. No need for the sarky comments.
"PHP injection?" As in, uploading and executing a malicious PHP file? You just need to check the extension on uploads.
PHP Injection, as in submitting malicious code to a php script that processes form or cookie data (via $_GET / $_POST / $_COOKIES ...etc). Any ideas?
You're perfectly safe: the data will not be run. However, it may be executed in some form depending on what you next do with it. That's the critical bit.Quote:
submitting malicious code to a php script that processes form or cookie data (via $_GET / $_POST / $_COOKIES ...etc).
exactly - so what should i first do with it to make sure it isn't executed?
I'm very aware that i must properly validate information in a secure and recommended way immediately upon assigning it to any new variables before working with it. What i haven't a clue about is what functions to use to properly and securely validate that info. u might just say any - but i'm looking for some1 who knows which are the best.
can anyone help? are you the only properly active person in this forum twey? *lol
Don't pass user input to functions like eval or shell_exec.Quote:
Originally Posted by Birmingham
As I tried to point out, the "best" functions depend on how you are using the data. Sending the data back to the user as HTML requires different treatment than data that is to be e-mailed or added to a database. There is no silver bullet.Quote:
I'm very aware that i must properly validate information in a secure and recommended way immediately upon assigning it to any new variables before working with it. What i haven't a clue about is what functions to use to properly and securely validate that info. u might just say any - but i'm looking for some1 who knows which are the best.
Mike
The safest way - Don't send the data at all. :D
true, tech_support. that's the method i'm currently using but i need to change to add functionality. there's little point in me removing server-side scripting and reducing functionality when i could still get hacked though my host.Quote:
Originally Posted by tech_support
mwinter - as i said before i'm looking to prevent php injection, not sql/databases/html/anything else! i think i've got the html sorted now i just want to secure from php injection! only to process form data in php scripts without my server security being compromised at that point.
any ideas anyone? any bullets for this clear target?
"PHP injection" is not a technical term, since it doesn't exist. It sounds to me as if you're expecting data submitted to your PHP script to be automatically executed somewhere along the way, thus compromising your security. It isn't. It's nothing more than a string until you pass it to something that tries to execute it in some form, such as eval(), shell_exec(), mysql_query(), or a browser (or a file, if that file has the wrong permissions/filename). Unless you are passing it to such a function, there is nothing to worry about.
ok twey, i'll take ur word for it until i get hacked or learn to hack by injecting self-executing php code into a script that reads form data, and if that happens i'll get back to you and on your conscience may it remain :)Quote:
Originally Posted by Twey
You can't force something to execute as php from inside a string.
For example, try running this--
<?php echo "eval(1+1)"; ?>
The eval function executes the code, but since it's in quotes, as a string, it does nothing. It'll just print that.
injection of any malicious code usually works by first closing the quotes and the command then starting a new one.Quote:
Originally Posted by djr33
anyway, i'll settle for the "there's nothing to worry about" for the time being. i might just send some emails to php.net just to make sure though ;)
If this were possible in direct input into a script, no server-side script would be safe, since there would be no way to escape it.Quote:
injection of any malicious code usually works by first closing the quotes and the command then starting a new one.
Yeah. Quotes are converted to "safe" characters before being used in strings. You can't just put one in there from a form or something... it'll become a new character.
Are you referring to the "magic quotes" feature? That may protect data for certain uses, but for databases and such, the vendor-specific function (such as mysql_real_escape_string) should be used.Quote:
Originally Posted by djr33
For distributed code, magic quotes should never be relied upon as it is a configuration option (I have it disabled: I find it to be annoying, more than anything else). Development should be conducted without it, and code should be written to check the current state of the option and act accordingly.
Mike