Beta test my script!

[darkfreaks]

should always sanitize the variables before you output to the database and then again when you echo it.

[adamlacombe]

ok but im still getting the warnings.

The function looks like this:

define("PARANOID", 1);
define("SQL", 2);
define("SYSTEM", 4);
define("HTML", ;
define("INT", 16);
define("FLOAT", 32);
define("LDAP", 64);
define("UTF8", 128);

// internal function for utf8 decoding
// thanks to Jamie Pratt for noticing that PHP's function is a little 
// screwy
function my_utf8_decode($string)
{
return strtr($string, 
  "???????¥µÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýÿ", 
  "SOZsozYYuAAAAAAACEEEEIIIIDNOOOOOOUUUUYsaaaaaaaceeeeiiiionoooooouuuuyy");
}

// paranoid sanitization -- only let the alphanumeric set through
function sanitize_paranoid_string($string, $min='', $max='')
{
  $string = preg_replace("/[^a-zA-Z0-9]/", "", $string);
  $len = strlen($string);
  if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
    return FALSE;
  return $string;
}

// sanitize a string in prep for passing a single argument to system() (or similar)
function sanitize_system_string($string, $min='', $max='')
{
  $pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // no piping, passing possible environment variables ($),
                           // seperate commands, nested execution, file redirection, 
                           // background processing, special commands (backspace, etc.), quotes
                           // newlines, or some other special characters
  $string = preg_replace($pattern, '', $string);
  $string = '"'.preg_replace('/\$/', '\\\$', $string).'"'; //make sure this is only interpretted as ONE argument
  $len = strlen($string);
  if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
    return FALSE;
  return $string;
}

// sanitize a string for SQL input (simple slash out quotes and slashes)
function sanitize_sql_string($string, $min='', $max='')
{
  $pattern[0] = '/(\\\\)/';
  $pattern[1] = "/\"/";
  $pattern[2] = "/'/";
  $replacement[0] = '\\\\\\';
  $replacement[1] = '\"';
  $replacement[2] = "\\'";
  $len = strlen($string);
  if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
    return FALSE;
  return preg_replace($pattern, $replacement, $string);
}

// sanitize a string for SQL input (simple slash out quotes and slashes)
function sanitize_ldap_string($string, $min='', $max='')
{
  $pattern = '/(\)|\(|\||&)/';
  $len = strlen($string);
  if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
    return FALSE;
  return preg_replace($pattern, '', $string);
}


// sanitize a string for HTML (make sure nothing gets interpretted!)
function sanitize_html_string($string)
{
  $pattern[0] = '/\&/';
  $pattern[1] = '/</';
  $pattern[2] = "/>/";
  $pattern[3] = '/\n/';
  $pattern[4] = '/"/';
  $pattern[5] = "/'/";
  $pattern[6] = "/%/";
  $pattern[7] = '/\(/';
  $pattern[8] = '/\)/';
  $pattern[9] = '/\+/';
  $pattern[10] = '/-/';
  $replacement[0] = '&';
  $replacement[1] = '<';
  $replacement[2] = '>';
  $replacement[3] = '<br>';
  $replacement[4] = '"';
  $replacement[5] = '&#39;';
  $replacement[6] = '&#37;';
  $replacement[7] = '&#40;';
  $replacement[8] = '&#41;';
  $replacement[9] = '&#43;';
  $replacement[10] = '&#45;';
  return preg_replace($pattern, $replacement, $string);
}

// make int int!
function sanitize_int($integer, $min='', $max='')
{
  $int = intval($integer);
  if((($min != '') && ($int < $min)) || (($max != '') && ($int > $max)))
    return FALSE;
  return $int;
}

// make float float!
function sanitize_float($float, $min='', $max='')
{
  $float = floatval($float);
  if((($min != '') && ($float < $min)) || (($max != '') && ($float > $max)))
    return FALSE;
  return $float;
}

// glue together all the other functions
function sanitize($input, $flags, $min='', $max='')
{
  if($flags & UTF8) $input = my_utf8_decode($input);
  if($flags & PARANOID) $input = sanitize_paranoid_string($input, $min, $max);
  if($flags & INT) $input = sanitize_int($input, $min, $max);
  if($flags & FLOAT) $input = sanitize_float($input, $min, $max);
  if($flags & HTML) $input = sanitize_html_string($input, $min, $max);
  if($flags & SQL) $input = sanitize_sql_string($input, $min, $max);
  if($flags & LDAP) $input = sanitize_ldap_string($input, $min, $max);
  if($flags & SYSTEM) $input = sanitize_system_string($input, $min, $max);
  return $input;
}

line 146 is:

function sanitize($input, $flags, $min='', $max='')

and the warnings are:

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 24 and defined in /home/media/test/includes/db.php on line 146

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 25 and defined in /home/media/test/includes/db.php on line 146

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 26 and defined in /home/media/test/includes/db.php on line 146

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 27 and defined in /home/media/test/includes/db.php on line 146

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 28 and defined in /home/media/test/includes/db.php on line 146

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 29 and defined in /home/media/test/includes/db.php on line 146

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 30 and defined in /home/media/test/includes/db.php on line 146

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 31 and defined in /home/media/test/includes/db.php on line 146

 

does it have to do with the $min='', $max='' ?

if so what do I put for min= and max=?

 

[darkfreaks]

do away with that page and just use the sanitize function when you echo it inside the inputs

[adamlacombe]

ok so I have this:

<?
if($_POST[update]){

	$first_name=clean_up($_POST['first']);
	$last_name=clean_up($_POST['last']);
	$about=clean_up($_POST['about']);
	$email=clean_up($_POST['email']);
	$myspace=clean_up($_POST['myspace']);
	$aim=clean_up($_POST['aim']);
	$yim=clean_up($_POST['yim']);
	$location=clean_up($_POST['location']);

	$sql3 ="UPDATE `users` SET `myspace`='$myspace',`aim`='$aim',`yim`='$yim',`first`='$first_name',`last`='$last_name',`email`='$email',`about`='$about', `location`='$location' WHERE `id`='".$_SESSION['id']."'";
	$res3 = mysql_query($sql3) or die(mysql_error());


echo "<div class='done'>Your profile has been successfully updated!</div><br />";
}


$sql="SELECT * from `users` WHERE `id`='".$_SESSION['id']."'";
$res=mysql_query($sql);
$row=mysql_fetch_assoc($res);
	$first=$row[first];
	$last=$row[last];
	$email=$row[email];
	$location=$row[location];
	$aim=$row[aim];
	$yim=$row[yim];
	$myspace=$row[myspace];
	$about=$row[about];

echo '
<form action="user.php?action=profilecp" method="post">
<div class="header">Profile Control Panel</div><br />
<div class="content">

First Name:<br />
<input class="tarea" id="first" type="text" name="first" maxlength="32" value="'.sanitize($first).'">
<br />

Last Name:<br />
<input class="tarea" id="last" type="text" name="last" maxlength="32" value="'.sanitize($last).'">
<br />

Email:<br />
<input class="tarea" id="email" type="text" name="email" maxlength="255" value="'.sanitize($email).'">
<br />

Location:<br />
<input class="tarea" id="location" type="text" name="location" maxlength="255" value="'.sanitize($location).'">
<br />

Aim:<br />
<input class="tarea" id="aim" type="text" name="aim" maxlength="255" value="'.sanitize($aim).'">
<br />

Yim:<br />
<input class="tarea" id="yim" type="text" name="yim" maxlength="255" value="'.sanitize($yim).'">
<br />

Myspace:<br />
<input class="tarea" id="myspace" type="text" name="myspace" maxlength="255" value="'.sanitize($myspace).'">
<br />

About:<br />
<textarea class="tarea" id="about" cols="40" rows="6" name="about">'.sanitize($about).'</textarea>
<br />

<input type="submit" name="update" value="Update">
</form>
</div>';
?>

 

but I still got the warnings.... 

[darkfreaks]

oops sorry just ditch everything but the clean_up  function that we first had.

[adamlacombe]

oh ok.

omfg I hate A.D.D. but bc I have it let me just make sure I got all this right lol,

Only use the clean_up function and I should use it when im echoing stuff and also when ever im inserting/updating, correct?

 

And that should secure everything?

[darkfreaks]

it should

[adamlacombe]

ok, give me about a day and i'll fix all the files up and then I'll check back with you to see if its secure.

 

Sorry 4 being such a dumb @$$ at this. 

[darkfreaks]

dont feel bad man we all have to start somewhere

[adamlacombe]

yea that's true.

 

I think I got it all fixed up now.

Wanna check?

[darkfreaks]

you can test yourself with the firefox XSS ME addon.

 

mine keeps lagging sorry.

 

 

anyhow if it is still leaking try some validation

 

<?php
//if  data is a number or letter
if(ctype_alnum($var)){
//code
}
else{
//code
}
?>

[adamlacombe]

oh ok, I was wondering how in the hell you keep getting all this info lol.

Failures: 0

Warnings: 154

Thats for the front page.. now onto a whole mess of others.

[adamlacombe]

mine was glitchin up and said 0 tests preformed or what ever.. kinda weird but..

Any ways I released Release Candidate #4.

I think its all secure.

[darkfreaks]

fields vunerable: comment,keyword

 

other than that congrats looks good i will test for CSRF later

[darkfreaks]

also this is a very low threat i found CSRF wise but when you send your variables in your urls like foo=foobar  might wanna encode them

 

check into urlencode()

[darkfreaks]

PHPfreaks security tutorials:

PHPIDS , file inclusion/session hijacking/CSRF

[adamlacombe]

also this is a very low threat i found CSRF wise but when you send your variables in your urls like foo=foobar  might wanna encode them

 

check into urlencode()

I'm not all there as you must have already noticed lol but you're saying I need to put urlencode() around $_GET's that are being inserted into the database?

[darkfreaks]

whatever variables are being inserted into your url's need to be encoded

[adamlacombe]

but does that mean just the $_GET's? or is there more, like say you have this:

<?php
$sql=mysql_query("SELECT * FROM atable");
while($row=mysql_fetch_array($sql)){
$id=clean_up($row[id]);
echo "$id";
}
?>

then should you have it:

<?php
$sql=mysql_query("SELECT * FROM atable");
while($row=mysql_fetch_array($sql)){
$id=clean_up(urlencode($row[id]));
echo "$id";
}
?>

?

 

God I hate being such a newb 

[darkfreaks]

if your sending $id in an url it needs to be encoded yes

[darkfreaks]

also may want to check the MIME type of the files being uploaded or it will potentially upload the file regardless of whether it says "this is not a picture file"

 

check out:

 

mime-content-type() ---- Deprecated in PHP 6

 

 

 

 

[adamlacombe]

ok thanks, been pretty busy this past week so i haven't gotten to far on the script but am trying now.

[adamlacombe]

Got a question though, you seem to be a great PHP expert and im sort of just learning most of the built in functions so, if I have something along the lines of this:

<?php
$id=clean_up($_GET['id']);
$id = abs((int) ($id));
?>

 

Do I need to use a numeric_only()

 

<?php
$id=clean_up(numeric_only($_GET['id']));
$id = abs((int) ($id));
?>

 

 

numeric_only() only being this function:

<?php
function numeric_only($string){
$string=preg_replace("/[^0-9]/","",$string);
return $string;
}
?>

 

Thanks!

[darkfreaks]

if there id is only numbers then ys is_numeric() will work

[adamlacombe]

umm nope numeric_only() not is_numeric()

But would I need numeric_only() if I am already using abs((int) ($id)) ?