FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » BB type posting - is this secure?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: BB type posting - is this secure? [message #176391 is a reply to message #176383] Fri, 30 December 2011 09:59 Go to previous messageGo to previous message
alvaro.NOSPAMTHANX is currently offline  alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma:
Senior Member
El 29/12/2011 23:45, Michael Joel escribió/wrote:
> I am allowing posts to the page and wanted to see if this is secure.
>
> data from sql is placed in an array (say $MyArray):
>
> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));

What sense does it make to strip slashes in data that comes from a
database? If stored data is valid, this will basically corrupt it as
soon as it contains a backslash:

C:\WINDOWS\system32 --> C:WINDOWSsystem32

.... and if you store corrupted data:

Jim \"Magic\" O\'Brian

.... your problem is somewhere else.

> $MyArray["Post"] = strip_tags($MyArray["Post"], "<BR>");

Right, this removes HTML tags, including the <br /> ones you injected
yourself in the previous step. We have two possibilities:

1. If data is HTML: potential data corruption

<p>Click <a href="http://example.com">here</a> for info.</p>
--> Click here for info.

2. If data is not HTML: potential data corruption

if x<y then z=1 --> if x

> I notice with this text like<script>alert("hi");</script> is rendered
> as literal so no script is actually recognised.

This JavaScript code won't get executed basically because it gets
corrupted in the process. A carefully crafted invalid HTML snippet might
have a better chance to survive.

> So is this gooed enough or is there something else I need to do?

No offence but your security methods are like burning down a warehouse
so its contents are not stolen at night.

I think the base problem is that you think that:

1. All security contexts are the same.
2. Security in general is about identifying "bad" chars and completely
stripping them.

Instead, think about *syntax*. All languages have their own syntax with
its own rules. In such syntax, there are language elements and there are
literals:

<?php /* I am code */ echo '<?php I am not code ?>'; ?>


Well, this post is getting too long. To sum up, identify context and
apply proper mechanisms:

- MySQL: Prepared statements, mysql_real_escape_string()...
- JavaScript: json_encode()
- HTML: htmlspecialchars()
- E-mail / HTTP headers: strip line feeds, encode as 7-bit



--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Help with script that retrieve remote files
Next Topic: Give me the names of some CRM php projects
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Nov 26 23:00:47 GMT 2024

Total time taken to generate the page: 0.04328 seconds