Protection Code Curiosity.

[Travis1128]

Hello. I have below two validation functions that validate the input from $_POST and $_GET. I was curious if you think it's effectively decent for protection from XSS and SQL Injection based attacks. I know this is not the only layer I should have, but this is the middleman defense I have planned to put in place.

 

Please let me know what you think,

 

validatePost Function

function validatePost($input, $level, $mysql){
// Output variable
$output = '';
// Determine the validation level
if($level == 0){
	// No validation process for FILTER_INPUT()
	$invp = htmlspecialchars($_POST[$input]);
} else if($level == 1){
	// Standard removal of HTML Special Characters.
	$invp = filter_input(INPUT_POST, "$input", FILTER_SANITIZE_SPECIAL_CHARS);		
} else if($level == 2){
	// Advanced removal of HTML Special Characters.
	$invp = filter_input(INPUT_POST, "$input", FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
// Determine if MySQL Validation is required
if($mysql != null){
	$invp = mysql_real_escape_string($invp);
}
// Validate the end output
$output = htmlentities($invp);
return $output;
}

 

validateGet Function

function validateGet($input, $level, $mysql){
// Output variable
$output = '';
// Determine the validation level
if($level == 0){
	// No validation process for FILTER_INPUT()
	$invp = htmlspecialchars($_POST[$input]);
} else if($level == 1){
	// Standard removal of HTML Special Characters.
	$invp = filter_input(INPUT_GET, "$input", FILTER_SANITIZE_SPECIAL_CHARS);		
} else if($level == 2){
	// Advanced removal of HTML Special Characters.
	$invp = filter_input(INPUT_GET, "$input", FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
// Determine if MySQL Validation is required
if($mysql != null){
	$invp = mysql_real_escape_string($invp);
}
// Validate the end output
$output = htmlentities($invp);
return $output;
}

 

Example of validateGet Use

$id = validateGet("id", 1, null);
switch($id){
    default:
       echo $id;
    break;
}

 

That above script designed to print the output of ?id ($id) prints all output when validated, however it removes all HTML/Script elements. Please let me know what you think.

 

- Travis

[phpSensei]

Get the idea of cleaning or filtering a variable out of your head, there should be no such thing in PHP anyways.

 

Any code given a  string from a outside source should be escaped based on the event that calls for it. Firstly, don't directly input a foreign string into a mysql without escaping it according to the language's rules. Such as using mysql_real_escape_string is appropriate for this purpose. When it comes to ouputting HTML then use htmlspecialchars... You shouldn't take a string and overload it with functions such as strip_tags,stripslashes,addslashes, htmlentities..etc

 

However, if the user throws at you a preformatted string, then this would be an acceptable case of "filtering" the data, but even this can be an issue.

 

when the event calls for it, escape the foreign string for the purpose of the code...

[Travis1128]

Thank you phpSensei. So from what I have gotten through your reply is,

 

1. Do not directly clean/filter a variable.

2. Only escape or filter a string from an outside source that is necessary to do so with.

3. MySQL Insertion of any "string" or data should use mysql_real_escape_string().

4. For Outputting HTML strings (comments, user text, profile text.. etc) use htmlspecialchars() for filtering the output.

5. Only use the above if the security calls for that specific output/input of data.

 

If I am wrong please correct me. I try to learn new things and then the right way to do it.

 

- Travis

[phpSensei]

Yes you are correct.

[voip03]

 

All input must be validate

[TeNDoLLA]

 

All input must be validate

This. Every input data that comes from outer source (web page, users or whatever outer src, including all $_GET and $_POST etc.) needs to be validated before using in your scripts. Never trust that data blindly.

[phpSensei]

All inputs must be properly validated. *hint* *hint*

[Travis1128]

 

All input must be validate

This. Every input data that comes from outer source (web page, users or whatever outer src, including all $_GET and $_POST etc.) needs to be validated before using in your scripts. Never trust that data blindly.

 

Yep. I understand that portion. However what phpSensei pointed out is each validation should not be as elaborate as the functions I displayed above.

 

Any MySQL Input Data $_POST, $_GET should be validated with mysql_real_escape_string, however if the specific code requires higher security do more to protect yourself.

 

Any HTML/BBCode etc Input Data $_POST, should be validated with htmlspecialchars() when outputted.

 

Validation Methods to Use:

 

mysql_real_escape_string()

htmlspecialchars()

filter_input() : in some cases when security level (higher) than above requires it.

[MasterACE14]

The general idea is to assume every user on your website is malicious and will attempt to exploit it in any way they possibly can, whether that's via the URL or a form, or some other method. When cleaning/filtering/validating user input you take it as a case by case basis and use only the functions you require to validate that input, rather than one or two functions that do everything for you in a similar way to how magic quotes work. Which are greatly frowned upon.

[phpSensei]

There's a difference between cleaning/filtering a data and properly escaping strings without all the extra garbage functions that doesn't contribute to fixing the security problem. In any case given, preformatted input is always "filtered" if thats what you want to call it to an extent.

 

$id = mysql_real_escape_string(strip_tags(htmlentities(addslashes(trim.... and so forth
$query = mysql_query("SELECT * FROM `tbl` WHERE `id` = '$id'");

 

You see how useless this is? Your not filtering anything, the only thing required here is mysql_real_escape_string

[Travis1128]

Just a quick question if anyone could answer.

 

On, http://www.phpsec.org/projects/guide/2.html it talks about Spoofed Form Submissions and HTTP Requests.

 

Is defending against Spoofed Form Submissions the same deal of filtering the input just as we discussed before? I.e., if its MySQL Related use mysql_real_escape_string() or if its HTML Output use htmlspecialchars() etc...

 

What about Spoofed HTTP Requests is that something to be concerned about?

 

- Travis

[the182guy]

Just a quick question if anyone could answer.

 

On, http://www.phpsec.org/projects/guide/2.html it talks about Spoofed Form Submissions and HTTP Requests.

 

Is defending against Spoofed Form Submissions the same deal of filtering the input just as we discussed before? I.e., if its MySQL Related use mysql_real_escape_string() or if its HTML Output use htmlspecialchars() etc...

 

What about Spoofed HTTP Requests is that something to be concerned about?

 

- Travis

 

Nothing difficult there, just use common sense. Like in the example if you have a dropdown with certain values that are acceptable, make sure that when the form is submitted, your PHP only accepts the same possible values. In that case I would have an array of possible values, then use in_array() to test if the input is valid, if it isn't either default to a valid value or throw out a validation error.

[PFMaBiSmAd]

The Spoofed Form Submission and Spoofed HTTP Request examples are intended to show that submitted data can (easily) have any value because there is no guarantee that it was a form or a link on one of your pages that supplied the data. Validation (i.e. the act of testing for compliance) of external data means to actually test that the data exists and has an expected value before you use it in your code.

 

Things like mysql_real_escape_string, htmlspecialchars, filter_input, ... are not validation.

[Travis1128]

The Spoofed Form Submission and Spoofed HTTP Request examples are intended to show that submitted data can (easily) have any value because there is no guarantee that it was a form or a link on one of your pages that supplied the data. Validation (i.e. the act of testing for compliance) of external data means to actually test that the data exists and has an expected value before you use it in your code.

 

Things like mysql_real_escape_string, htmlspecialchars, filter_input, ... are not validation.

 

Alright. Thank you for your quick replies. So for simple validation you could easily just validate that the input data is an interger or a certain length string ... etc if it exceeds the normal "input" for the specific function you simply return an error based on data input.t.

 

By the way, could you give an example in your own way of how such Spoof's would be done and how to counteract them? Just curious if I could get all the help I can get.

[Travis1128]

I mean a simple validation attempt like,

 

if(!$_SESSION['user_logged']){
// Return an error
} else {
// Do something
}

 

That would limit someone from just making their own <form> up and having it hosted on their site correct. You could just have that placed in auth.php and include the auth.php on pages you need to authenticate a users session in order to submit data.