Variable checking and security

Forum Moderators: coopster

Message Too Old, No Replies

Variable checking and security

How would i...

PSWorx

10:42 pm on Nov 3, 2004 (gmt 0)

Is it possible to check that a variable originated from a server (in this case, the one the script is hosted on) of choice and also what other level of checking can i do with variables to ensure they are from where/who they should be from.

Also, would it be wise to store a funtion, or number of functions in a file say named "var_check.php" to check/modify variables for a variety of things i.e. to strip text modify letter case, to check if certain criteria is met etc as and when necessary.

TIA

mincklerstraat

8:00 am on Nov 4, 2004 (gmt 0)

In PHP the easiest thing to do is to turn register_globals off. (register_globals on will take all variables coming in from forms and other things and just make them into regular variables with the same name as the form fields - i.e.,

$_POST['name']

also produces the variable

$name

). Then all variables will be 'from your own server' except

$_GET

$_POST

$_COOKIE

$_FILE

, some of the

$_SERVER

variables like

$_SERVER['HTTP_REFERER']

, plus any variables generated by various sorts of input - sql queries (though that's still on your server - you just need to make sure your db is 'ok') and file reads or file uploads, for example. If I'm missing any variables here, or other important info, somebody holler. Oh yeah, remote includes! Those hurt me once. PHP since version 4.1 comes with register_globals off by default; your host might have turned them on; if so, you can probably turn them back off with an .htaccess file in your webroot that says:

php_flag register_globals off

There are also code snippets which try to unset any variables which might have come in via register globals, but it's simplest just to do it with .htaccess.

I usually have something similar to a function like var_check that takes an array of the variable elements I know I want to come in through user input, and does these sorts of things you describe.


$desiredvars = array('name', 'address', 'wig_size'); 
clean_em_up($desiredvars);

clean_em_up()

will first check to see if

gpc_quotes

are on, and if they are, it strips slashes; it then goes through

$_GET

and

$_POST

, in that order, and makes 'ordinary' variables out of them. Depending on the project, it might also use

html_special_chars()

to further clean them (otherwise they need to be cleaned later before being output). I've been stupid and just re-written this function each time I start a new project, a smart programmer would just have this in a standard library file for cutting and pasting, with an extra perameters designating which actions need to be taken.

DaButcher

8:36 am on Nov 4, 2004 (gmt 0)

I think it's always good to run strip_tags() with the optional parameter for allowed tags.

that will strip javascript, html, etc. unless you specify that it's allowed.

if your users post some meta refresh to a naughty page in your guestbook, you might not find it amusing!

They might also post images that are off-site, if you do not remove <img> tags. The possibility is also there, that they use some javascripts that might seem funny to the abuser, but not to the user.

I guess it all dependes on: who will use your script