[CS-FSLUG] PHP vulnerabilities?
Chris Brault
gginorio at sbcglobal.net
Fri Jun 2 15:52:50 CDT 2006
Indeed,
> When I first started using user-input scripts, one of the things I read
> about was to filter ALL input to avoid anything bad coming in, in a
> subroutine that deals with every input before it is handled on to the
> rest of the script.
>
> The suggestion was instead of filtering things _out_ (things like a
> backslash), it is safer to filter things allowed in (letters, numbers,
> underscore, space, hyphen, period, question mark, exclamation point).
This is an excellent approach that I am going to implement. I have
recently been put in charge of several sites and University Public
Events at CSU Chico is considering putting me on contract for their
site. So as you can see, security is important to maintain the integrity
of the school and myself.
I try to avoid input as much as possible, although I love using
interactivity (buttons, links, drop down boxes and the like). That said,
for entering original content there is no substitute for an input box or
textarea HTML-ified by tinyMCE. I wasn't aware that functions could be
run in PHP through inputs that are printed to the page. Imagine my
surprise.
So, now that I know that dangers, I've decided to add a better data
check using a "positive" filter rather than a negative one. If I
understand this properly, I should only allow characters that can be
reasonably expected from the input.
A name should only contain alpha characters while an address only
integers and alpha characters.
Hey, thanks for the information. I'm sure many people in the future will
have more secure sites because of it.
Gabe Ginorio
More information about the Christiansource
mailing list