Skip to main content

PHP Securely transform $_GET / $_POST array

Image
By User



I was checking my script for vulnerabilities and was shocked the way i used to do in the past which is extremely insecure:







foreach ($_GET as $key => $value){

    $$key = $value;

}







or shorter







extract( $_GET );







I altered with firebug some POST/GET variables to match a name i used in my script. they can be overwritten if the name would be guessed correctly.





So i thought i had to do it individually naming like this: $allowed_vars =







$allowed_vars = array("time","hotfile","netload","megaupload","user","pfda","xyz","sara","amount_needed");

    foreach ($_GET as $key => $value)

        {

             if (in_array($key,$allowed_vars))

                {

                    $$key = $value;

                }

        }







This way saves some time than naming them individually.





What kind of automation have to be used for this?


Labels:

Comments

  1. Tips For AllJanuary 17, 2012 at 1:28 AM

    I don't use any automatism of the kind.
    I see no point in assigning request variables to global variables automatically.
    If it's one or two variables, I could deal with them manually.
    If there are more, I'd rather keep them as array members for the convenient handling.

    Yet I am using some sort of whitelisting approach similar to yours.
    but not to create global variables out of POST data but to add that data into SQL query.

    Like in this simple helper function to produce SET statement:

    function dbSet($fields) {
    $set='';
    foreach ($fields as $field) {
    if (isset($_POST[$field])) {
    $set.="`$field`='".mysql_real_escape_string($_POST[$field])."', ";
    }
    }
    return substr($set, 0, -2);
    }

    $id = intval($_POST['id']);
    $fields = explode(" ","name surname lastname address zip fax phone");
    $query = "UPDATE $table SET ".dbSet($fields)." stamp=NOW() WHERE id=$id";

    ReplyDelete
  2. Tips For AllJanuary 17, 2012 at 1:28 AM

    You can save even more time by not extrating them at all. Just use them from the $_GET array. The advantages of this are not just avoiding collision with script variables (or worse) but also that you don't have to update that "automatism" when you add request parameters.

    When I am working with POST data, as from a form, I often process each explicitly:

    $data = array();
    $data['field1'] = someSaniFunction($_POST['field1']);
    $data['field2'] = someOtherFunction($_POST['field2']);
    ...


    In this way I ensure that each field is properly handled, and only the fields I expect are touched.

    ReplyDelete
  3. Tips For AllJanuary 17, 2012 at 1:28 AM

    In my experience, you shouldn't transform data in the $_REQUEST array into variables using $$ as it gives the possibility of overwriting variables held within the current scope.

    Instead, you should consider having a request object or array in which you filter the data and only access named variables that you require. This way, you do not have to keep extending your allowed variable names and still maintain security.

    The ZF for example has a request object, and they recommend using a input filter when working on this data:
    http://framework.zend.com/manual/en/zend.filter.input.html

    ReplyDelete
  4. Tips For AllJanuary 17, 2012 at 1:28 AM

    You can use the extract function in a more secure way:

    extract($_REQUEST, EXTR_SKIP);


    This will not overwrite variables that already exist in your code. See here for other parameters you can use

    ReplyDelete

Post a Comment

Popular posts from this blog

Why is this Javascript much *slower* than its jQuery equivalent?

By User
I have a HTML list of about 500 items and a "filter" box above it. I started by using jQuery to filter the list when I typed a letter (timing code added later): $('#filter').keyup( function() { var jqStart = (new Date).getTime(); var search = $(this).val().toLowerCase(); var $list = $('ul.ablist > li'); $list.each( function() { if ( $(this).text().toLowerCase().indexOf(search) === -1 ) $(this).hide(); else $(this).show(); } ); console.log('Time: ' + ((new Date).getTime() - jqStart)); } ); However, there was a couple of seconds delay after typing each letter (particularly the first letter). So I thought it may be slightly quicker if I used plain Javascript (I read recently that jQuery's each function is particularly slow). Here's my JS equivalent: document.getElementById('filter').addEventListener( 'keyup', function () { var jsStart = (new Date).getTime()...
3 comments
Read more

Is it possible to have IF statement in an Echo statement in PHP

By User
Thanks in advance. I did look at the other questions/answers that were similar and didn't find exactly what I was looking for. I'm trying to do this, am I on the right path? echo " <div id='tabs-".$match."'> <textarea id='".$match."' name='".$match."'>". if ($COLUMN_NAME === $match) { echo $FIELD_WITH_COLUMN_NAME; } else { } ."</textarea> <script type='text/javascript'> CKEDITOR.replace( '".$match."' ); </script> </div>"; I am getting the following error message in the browser: Parse error: syntax error, unexpected T_IF Please let me know if this is the right way to go about nesting an IF statement inside an echo. Thank you.
5 comments
Read more