Comments on: PHP Security: Basic PHP Security

by: Marco

Wed, 24 May 2006 10:34:52 +0000

Italian resource / risorsa italiana sull’argomento: programmazione sicura in PHP:

http://www.scuolaelettrica.it/buratto/php2/PHPSec.htm

by: .:: ㊣Inosin℃ -> Blog ::. » 一个非常不错的Email地址验证函数~

Mon, 08 May 2006 03:18:16 +0000

[…] http://phpit.net/article/php-security-basic/1/ […]

by: Dennis Pallett

Tue, 02 May 2006 09:42:53 +0000

Hi Brian,

You’re right, and I’ve posted it now, at:

http://phpit.net/code/valid-email/

I’ve also updated the article. Thanks for letting me know.

by: Brian

Mon, 01 May 2006 19:48:53 +0000

valid_email() is not available at http://phpit.net/code/

It would have been nice to see.

by: Piku’s PHP Blog » PHPit articles

Mon, 23 Jan 2006 19:53:40 +0000

[…] First one is PHP Security: Basic PHP Security. It treats the basics of securing your PHP applications (Filtering the input and escaping the output). […]

by: Dennis Pallett

Sun, 22 Jan 2006 20:02:05 +0000

Matthijs: I really like the idea of the clean array, and it does prevent the mistake you describe, which is probably an all too common mistake, especially because a typo is easy to make.

James: I kinda agree with you, although the valid_email() example I have is a good example of real validation.

by: Charlie

Thu, 19 Jan 2006 23:23:59 +0000

> Start with declaring an empty $clean array. After that add only data to the $clean array after validation.

Or better yes, use perl -T, and have the language *enforce* separation between validated and unvalidated data.

by: James

Tue, 17 Jan 2006 14:11:01 +0000

Hi, Sorry to be really picky, but i wouldn’t call this validation.

[code]
// Do validation

$s_Email = mysql_real_escape_string($d_Email);

[/code]

Thats more what i would say is escaping, validation is checking the length and the characters contained within the username/email address. Stripping out HTML tags etc…I suppose you could call it data cleansing.
Sorry to be a picky swine :)

by: Volodia

Tue, 17 Jan 2006 13:20:02 +0000

$var[’email’]='’;
$var=array_merge($var,$_GET,$_POST);
$sql_query=”select * from table where email=’.addslashes($var[’email’]).’”;

if in php.ini -> magic_quote_gpc=on
$sql_query=”select * from table where email=’.addslashes(stripslashes($var[’email’])).’”;

by: Matthijs

Mon, 16 Jan 2006 16:57:08 +0000

Good article Dennis. Filter ALL input, escape ALL output. Solid advice!

One remark about prefixing variables to avoid mistakes. That is a good aproach. The method I personally apply is the one Chris Shiflett uses in his book. Start with declaring an empty $clean array. After that add only data to the $clean array after validation. Then, if you want to do something in your script, you only work with the $clean array. See for an example http://phpsecurity.org/code/ch01-3

This makes sure you never process tainted/unsafe data, even if a variable hasn’t been declared earlier on in your script. For example, if I process some data like this:
$clean = array();
$email = $_POST[’email’];
$sql = mysql_real_escape_string($clean[’Emali’]);
as you can see, there’s a typo in the last line. But apart from the fact that my script probably doesn’t work as intended, it is not dangerous. The variable “Emali” can not be injected from outside, because I declare the $clean array empty at the start of the script.

I find this approach very useful.

On the other hand, if I would have processed the line as:
$Email = $_POST[’email’];
$sql = mysql_real_escape_string($Emali);
the variable $Emali would not have been declared and could be injected from outside.

Hope I explained it well. There’s a lot to consider when you want to write secure scripts, so it’s good you give it some attention Dennis! And the links you provide are indeed excellent reading material for further study.