Form input data

I am "strip-slashing" and "trimming" all of my form input data and
wondering what I need to do to deal with intentional or unintentional
tag input (like < or > or actual html tags). Also any other related
vulnerabilities of which I am unaware.

This also brings up another issue related to textareas that will be
displayed on a page by php code. Is there is a feasible way to let
knowledgeable people insert html formatting in those textareas so
their text will be formatted as they want it when displayed without
creating vulnerabilities? How do I deal with the eventuality of their
including syntax errors?

I presume there are ways of making it easy for users to format input
text like this, perhaps some classes created for this purpose or some
embedded editors. I think I have seen some javascript approaches to
this. Anyone know about this?

I'm interested in any suggestions people have around these issues.
I've got my script working quite well and am ready to include some
enhancements that will avoid vulnerability around form input and make
the process more user friendly.

Thanks is advance,

--Kenoli
kenoli [ Di, 27 Februar 2007 18:17 ] [ ID #1641848 ]

Re: Form input data

PS -- I am validating some fields with regular expressions like
allowing only certain characters in name fields and certain formats
for zip codes, etc.
kenoli [ Di, 27 Februar 2007 18:20 ] [ ID #1641849 ]

Re: Form input data

"kenoli" <kenoli.p [at] gmail.com> wrote in message
news:1172596818.794179.120510 [at] 8g2000cwh.googlegroups.com...
| PS -- I am validating some fields with regular expressions like
| allowing only certain characters in name fields and certain formats
| for zip codes, etc.

good for you [he sez patronizingly]. while you are known to have aversions
the manuals and that this topic won't be specifically found in one, did you
miss the whole security discussion the two others gave in the last thread
you just chimed in on? were you able to grasp reading at a marginal level,
you'd have already seen several valid responses to your question...thus
negating your need to...well...ask.
Steve [ Di, 27 Februar 2007 19:04 ] [ ID #1641855 ]

Re: Form input data

Do you mean the one where Koncept said how he filtered all text going
into textareas? I did save that info. I have a filter function that
I am planning to add "strip_tags" to. Before I jumped into that, I was
wondering if others had ideas I should incorporate at the same time.

I'm also looking for ideas for allowing for formatting in texareas
without getting things all screwed up. I thought I had seen some
scripts for this, but can't seem to find them in recent searches.

--Kenoli

On Feb 27, 10:04 am, "Steve" <no.... [at] example.com> wrote:
did you
> miss the whole security discussion the two others gave in the last thread
> you just chimed in on? were you able to grasp reading at a marginal level,
> you'd have already seen several valid responses to your question...thus
> negating your need to...well...ask.
kenoli [ Mi, 28 Februar 2007 02:51 ] [ ID #1643007 ]

Re: Form input data

"kenoli" <kenoli.p [at] gmail.com> wrote in message
news:1172627479.475574.231240 [at] t69g2000cwt.googlegroups.com.. .
| Do you mean the one where Koncept said how he filtered all text going
| into textareas? I did save that info. I have a filter function that
| I am planning to add "strip_tags" to. Before I jumped into that, I was
| wondering if others had ideas I should incorporate at the same time.
|
| I'm also looking for ideas for allowing for formatting in texareas
| without getting things all screwed up. I thought I had seen some
| scripts for this, but can't seem to find them in recent searches.

what have you been searching under and in what engine? i usually get the
best results using google, and by starting each search with 'php'. in this
case, 'php injection security' works wonders. i had to look to the fourth
result...which coughed up a tutorial:

http://www.phpbuilder.com/columns/ProPHPSecurity_excerpt.php 3

zzzzzzzzzzzzzz........
Steve [ Mi, 28 Februar 2007 04:36 ] [ ID #1643010 ]

Re: Form input data

Steve -- Thanks. The article looks good and "injection" seems like
the term of art I needed to know. This is great for finding sql
issues which I hadn't thought of.

It is pointed out as an issue in the php manual that Strip_tags() has
trouble knowing what to delete when one or more "<" or ">" are input
by themselves, and not as an actual tag with opening and closing
carats. I have managed to cause some problems when I did some trial
runs inserting these characters myself. Is this ever enough of an
issue to be concerned about? I suppose a regular expression filter, in
addition to strip_tags() could be used here, though it seems like it
might be overkill and a little hard to apply in combination with strip-
tags.

Thanks,

--Kenoli

On Feb 27, 7:36 pm, "Steve" <no.... [at] example.com> wrote:

> http://www.phpbuilder.com/columns/ProPHPSecurity_excerpt.php 3
>
> zzzzzzzzzzzzzz........
kenoli [ Do, 01 März 2007 17:43 ] [ ID #1644124 ]

Re: Form input data

"kenoli" <kenoli.p [at] gmail.com> wrote in message
news:1172767406.944492.255670 [at] s48g2000cws.googlegroups.com.. .
| Steve -- Thanks. The article looks good and "injection" seems like
| the term of art I needed to know. This is great for finding sql
| issues which I hadn't thought of.
|
| It is pointed out as an issue in the php manual that Strip_tags() has
| trouble knowing what to delete when one or more "<" or ">" are input
| by themselves, and not as an actual tag with opening and closing
| carats. I have managed to cause some problems when I did some trial
| runs inserting these characters myself.

make a page with a form that has a textarea. next, try and write some
javascript in it like:

<script type="text/javascript">
alert('hello world');
</script>

save the record to a dummy table you've created for this test. then, pull
the record back up. i get you get a message saying, of course, 'hello
world'.

| Is this ever enough of an issue to be concerned about?

no, that's why people NEVER do it. of course it is enough of a reason! i've
hacked sites that used ajax and had their db queries stored in javascript.
that means i could look at it. it also means i could bypass all business
logic they had in place and store anything in their db that i wanted to.
changing alert('hello world') to something more destructive is far from
difficult.

| I suppose a regular expression filter, in
| addition to strip_tags() could be used here, though it seems like it
| might be overkill and a little hard to apply in combination with strip-
| tags.

not overkill nor is it hard. here's a quick db class that encapsulates mysql
functionality. look closely at the encode/decode and prepare statements.
those will help. when performing any query where input is involved, just
call db::prepare($value)...which replaces ' with '' and strips slashes,
optionally it can encode the data as well...changing things like < to <
also, the db::execute statement can decode this for you when you select data
for display (however doing so would not avoid the javascript injection).

here's the class - assumes php 5:

<?
class db
{
static private $_instance = null;
static private $_lastStatement = '';

private function __clone(){}

private function __construct(){}

static function connect($server, $user, $password, $catalog = null)
{
try
{
mysql_connect($server, $user, $password);
if (!is_null($catalog)){ mysql_select_db($catalog); }
} catch (exception $ex) {
print "<pre>\r\n" . $ex->getMessage() . "\r\n" .
' in file ' . $ex->getFile() . "\r\n" .
' on line ' . $ex->getLine() . "\r\n" .
'</pre>';
return false;
}
return true;
}

static function getInstance()
{
if (is_null(self::$_instance)){ self::$_instance = new db(); }
return self::$_instance;
}

static function getLastStatement(){ return self::$_lastStatement; }

static function decode($string)
{
$translation = get_html_translation_table(HTML_ENTITIES);
$translation = array_flip($translation);
$string = strtr($string, $translation);
return $string;
}

static function describe($table)
{
$columns = array();
$records = self::execute('DESCRIBE `' . $table . '`');
foreach ($records as $record)
{
foreach ($record as $column => $property)
{
if ($column == 'FIELD'){ continue; }
$columns[strtoupper($record['FIELD'])][$column] = $property;
}
}
return $columns;
}

static function encode($string)
{
$translation = get_html_translation_table(HTML_ENTITIES);
$string = strtr($string, $translation);
return $string;
}

static function execute($sql, $decode = false, $returnNewId = false)
{
self::$_lastStatement = $sql;
$array = array();
$key = 0;
$records = mysql_query($sql);
$fieldCount = [at] mysql_num_fields($records);
$translation = get_html_translation_table(HTML_ENTITIES);
$translation = array_flip($translation);
while ($row = [at] mysql_fetch_array($records, MYSQL_NUM))
{
for ($i = 0; $i < $fieldCount; $i++)
{
$value = $row[$i];
if ($decode){ $value = strtr($value, $translation); }
$array[$key][strtoupper( [at] mysql_field_name($records, $i))] = $value;
}
$key++;
}
if ($returnNewId)
{
$array = array();
$array[0]['ID'] = mysql_insert_id();
}
[at] mysql_free_result($records);
return $array;
}

static function prepare($string, $encode = false)
{
if ($encode){ $string = self::encode($string); }
$string = stripslashes(str_replace("'", "''", $string));
return $string;
}
}
?>
Steve [ Do, 01 März 2007 18:18 ] [ ID #1644129 ]
PHP » alt.php » Form input data

Vorheriges Thema: Fatal error: Call to a member function on a non-object
Nächstes Thema: Login via php code on an external page

[ Startseite ] [ Administrator ] [ Suche ] [ Hinweise ] [ Impressum ]

Powered by FudForum