| Re: BB type posting - is this secure? [message #176391 is a reply to message #176383] |
Fri, 30 December 2011 09:59   |
alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma:
|
Senior Member |
|
|
El 29/12/2011 23:45, Michael Joel escribió/wrote:
> I am allowing posts to the page and wanted to see if this is secure.
>
> data from sql is placed in an array (say $MyArray):
>
> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));
What sense does it make to strip slashes in data that comes from a
database? If stored data is valid, this will basically corrupt it as
soon as it contains a backslash:
C:\WINDOWS\system32 --> C:WINDOWSsystem32
.... and if you store corrupted data:
Jim \"Magic\" O\'Brian
.... your problem is somewhere else.
> $MyArray["Post"] = strip_tags($MyArray["Post"], "<BR>");
Right, this removes HTML tags, including the <br /> ones you injected
yourself in the previous step. We have two possibilities:
1. If data is HTML: potential data corruption
<p>Click <a href="http://example.com">here</a> for info.</p>
--> Click here for info.
2. If data is not HTML: potential data corruption
if x<y then z=1 --> if x
> I notice with this text like<script>alert("hi");</script> is rendered
> as literal so no script is actually recognised.
This JavaScript code won't get executed basically because it gets
corrupted in the process. A carefully crafted invalid HTML snippet might
have a better chance to survive.
> So is this gooed enough or is there something else I need to do?
No offence but your security methods are like burning down a warehouse
so its contents are not stolen at night.
I think the base problem is that you think that:
1. All security contexts are the same.
2. Security in general is about identifying "bad" chars and completely
stripping them.
Instead, think about *syntax*. All languages have their own syntax with
its own rules. In such syntax, there are language elements and there are
literals:
<?php /* I am code */ echo '<?php I am not code ?>'; ?>
Well, this post is getting too long. To sum up, identify context and
apply proper mechanisms:
- MySQL: Prepared statements, mysql_real_escape_string()...
- JavaScript: json_encode()
- HTML: htmlspecialchars()
- E-mail / HTTP headers: strip line feeds, encode as 7-bit
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]