Re: Anyone have some basic security tips for PHP-programmers?

[Tommy Gildseth <gildseth () start no>]

arek () chelmnet pl wrote:
> Good Night (here in Poland)
>
> > Good Morning (at least here in Nevada)
>
>
> > Anyone have any hints for good PHP practices  (Looking for kind of a "This
> > is one of the most common PHP security flaws" kind of thing)?
>
> Firstly , the easiest way to enable the following lines for every .php
> script, or into master index.php :
>
>
> foreach ($_GET as $k => $v) {
>  $_GET[$k]=addslashes($_GET[$k]);
>  $v=addslashes($v);
>  $v=ereg_replace(';','',$v);
>  eval(" \$$k = \"$v\" ;");
> }
> foreach ($_POST as $k => $v) {
>  $_POST[$k]=addslashes($_POST[$k]);
>  $v=addslashes($v);
>  $v=ereg_replace(';','',$v);
>  eval(" \$$k = \"$v\" ;");
> }

1. This is esentially what magic-quotes does
http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc
If your server doesn't have this enabled, you can enable it with 
.htaccess for your webarea only.
2. Using ereg_replace for simple string substitution is rather 
inefficient. Use str_replace()
3. eval is also inefficient, all the time you can use $_GET[$k] = $v;
4. At least with mySQL it's not possible to pass multiple chained 
queries in one mysql_query() call. It is however possible to use f.ex -- 
to comment out the rest of the query, or in more sophisticated RDBMS, 
use subqueries. $v=ereg_replace(';','',$v); is therefor inadequate, and 
probably doesn't do anything to enhance security.

General filtering like that, is often inadequate, and you probably need 
to do more work. F.ex if it's a numeric value you are inserting into the 
database, check that it is_numeric();
Escape string values with mysql_escape_string() (or equivilant for other 
RDBMS, f.ex pg_escape_string())

Tommy Gildseth