Background
I use .htaccess to redirect every URI to a single PHP file that displays the right page by calling different functions with different inputs based on the requested URI. I found myself checking user input twice. Once in the handling PHP file that checks first if everything is fine before calling the display function and than again within the display function, to make sure nobody exploits the function by calling it with wrong parameters (e.g. with the username of someone else). This means, that I need twice as many mysql querys etc. for checking valid inputs.
I can't just check within a function because based on those checks, the handling PHP file calls different functions. So I have to perform the checks at least there. But the more I think about it, the more I wonder, if it is necessary to check again within a function. I started this because I was worried that somebody might call one of my functions with improper input, but I guess if somebody can call one of my PHP functions and pass wrong parameters, I'm pretty much screwed already right? Because as far as I understand PHP, this would mean that this person already has access to my server at least via a shell or something like that.
I should further add, that I never ever call a function via a variable like discussed in this thread: Call PHP function from URL
Question
Is it a security risk, not to check the parameters passed to a function within that function, if you already checked it before the function call?
Good rule of thumb - Pretend EVERYONE is out to pwn your app! (Yes get out your tin foil hat!). Good practice would be to clean the data for example putting data in a database, you should still clean it coming back out of the database.
Unless you are in a position where one of your functions is providing the parameters and there is no way to access the (potentially insecure) function except through the preparation function then I would advise cleaning all data
HTHs - Thanks,
//P
Check out Private Public and Protected Functions
Related
I have an application with the following code:
<?php
if(isset($_GET['function'])){
$_GET['function']();
}
?>
So if i entered this url: http://localhost/?function=phpinfo
I will see the phpinfo function output on the screen.
can i have a way to concatenate 2 function in the url like this example:
http://localhost/?function=shell_exec('ls') AND phpinfo
So i want to see the first function output..
If you may asking why i need this, is because i am pen testing an web application with this situation..
By the way any suggestion to hack this situation will help.
Thanks for the help..
You cannot concatenate functions as it's not code injection per se, ie: you cannot affect the way the parser reads the code. Further more in the example you provided you have no control over any parameters passed to the function, so what you are proposing is not feasible.
You would have to find a way to pass control to a function which performs unsafe operations directly on user supplied input ($_GET, $_POST, etc) in order to leverage this weakness remote code execution. Depending on the complexity of the application you may be able to identify a function which calls system, eval, unserialize, or another dangerous function on user supplied data.
I'm trying to save all my session data in the Database and have this class that should handle all that and have used session_set_save_handler to set that up. Now, I don't know if it's because I don't fully understand the whole idea behind that function but the problem I'm running into is that the read() function of my Session handler class is called BEFORE the write() function is. And the reason why that is not good is because read() is trying to look for information in the database that has yet to be written into the database and of course it gets empty results.
So I decided to read the documentation behind session_set_save_handler and it looks like the only time write() is called is when the session is terminated or when PHP is closed. From my perspective this seems pretty useless... why would anyone write() or store this information at the END before they could ever get a chance to retrieve it?
What I'm trying to do is when someone creates a use session, this information is written into the database and whenever I want to check for authentication or lookup user values I want to retrieve said information.
Am I going about this all wrong?? I appreciate any clarification. If anyone needs any code to demonstrate what I'm trying to do I'll update this.
From my perspective this seems pretty useless... why would anyone write() or store this information at the END before they could ever get a chance to retrieve it?
What do you mean before they got a chance to retrieve it?
To retrieve it, the read method is called – and it is called before, so that you already have the info. But somehow this is what you are complaining about …?
Am I right in assuming that you don’t have much understanding of how PHP’s session mechanism works at all?
You call session_start on top of every script. If PHP finds a session id in the parameters passed to the script, it looks for an existing session with that id, and if it finds one, it reads the data from it. From that point on, you can work with that data – PHP has put it into the super-global array $_SESSION for you. You can access it from there, and you can put new data into it or alter the existing data.
And then, when the script ends, or session_write_close is called, the data is written back.
So of course the read function is called before the write function.
I've never understood this, and on my own projects I have never needed it. But I've been contributing to WordPress a little, and they use it heavily.
Somehow they are able to redirect the user to a different page with some sort of GET variable in the URL (which is what I understand to be the advantage of using GET over POST). How do they do this? Is it as simple as making a header like header('site.com/page.php?foo=true');? This can't be useful since you have to hard code everything in (unless you want to create a string based on other variables which is kind of annoying, even still). I thought there would be a built-in function like send_get('page.php', $foo);.
I understand how to use information by using $foo = $_GET['foo'];, but I don't know how to send it with PHP.
An explanation would be appreciated - thanks!
There isn't exactly a "customary" way of using it. It is one of nine superglobals. The way you use them is at your discretion. As Greg P already mentioned, they are passed through the URL.
I know how to set up a HTML form that sends variables this way, but how can I do the same thing with PHP?
If you're talking about sending GET variables with PHP solely, the answer is no. You needn't even have PHP to send a GET variable. It is as simple as adding a question mark followed by a variable name = something. Separate several of them using an ampersand (&)
Setting up a GET variable is as easy as creating an anchor link.
<a href='somepage.php?getVar1=foo&anotherVariable=2&thirdVar=3
You can use PHP to dynamically place certain information in there instead of writing it manually, which is the entire purpose of the language to begin with. It is a preprocessor
So, something like this should get you started
<?php
$someID = // An id pulled from a mysql_query
echo "<a href='somepage.php?someID=" . $someID . "'>GET LINK</a>";
I thought there would be a built-in function like send_get('page.php', $foo);
Again, PHP is a preprocessor. It doesn't send information, it only outputs it. What you're talking about is Javascript.. moreover, AJAX. AJAX is the only method that will allow you to send GET variables "behind-the-scenes". And, like was mentioned in another post, jQuery has an awesome codebase for this.
I think you're missing the forest for the trees...the $_GET/$_POST are just variables that are passed to the page processing them - what is DONE with them and how it is done, is up to the design of the application. For example, Joomla always puts the component_id and the item_id in the $_GET array, and has been designed with that in mind, so expects them to be there, and constructs the page, or redirects, or whatever with that in mind.
In your example, a send_get() function might be a good idea (I didn't design it), but the architects didn't see it that way for one reason or another. Joomla happens to have a redirect function that does have a certain dependancy on what was passed in the $_GET, but that is only by design of the applications authors.
Maybe redirect URL is kept in some of session variable. Properly $_GET variable, indicate for wordpress: "check session variable for redirect URL".
PHP.net says:
An associative array of variables passed to the current script via the URL parameters.
URL parameters: generally are variables passed to a script via the URL such as in your example site.com/page.php?foo=true. Everything after the ? is considered a paramter.
Quoted from a StackOverflow question:
The HTTP protocol defines GET type requests as being idempotent, while POST may have side effects. In pain English that means that GET is used for viewing something, without changing it, while POST is used for changing something. For example, a search page should use GET, while a form that changes your password should use POST.
What is the proper way of validating data? I mean say you have an insert function:
function newUser($name, $lastname, $age) {
// some validation process
$this->pdo->prepare("INSERT INTO user VALUES (?,?,?)",
array($name, $lastname, $age)); // this is another class
// that runs execute in itself
}
So basically, the question is whether the //some validation procecss part should take place in newUser function or should it be done outside the function? I am asking this because I am writing a request class which I will store basic validation rules in that class and automatically filter my get and post values. So if I do that, and if I also validate inside newUser (similarly on other functions like this) it means that I will validate the same input twice or maybe thrice.
So in short, is there anything wrong if I assume that variables that are passed to function newUser are already validated? In this case, I am also assuming that newUser is only called from my application (I am not sure whether a third party can also run the function without my permission, this is actually why I asked the question) and therefore the variables are already validated before having called the newUser function.
P.S: Sorry if the question is asked in a complicated way, just comment if you don't understand what I mean.
If I were you, i would make a validation class, this contains kinds of validation (for email, string, numbers, string and numbers).
Depending on what you want the vars in your function to be, validate them like that and put them in the database.
A third party shouldn't be able to run your function if you make sure you script safely.
Example how not to script:
include( $_GET['file'] );
Basically, I could put a own file to include in your system using the ?file parameter in your URL. Also with queries is this possible:
mysql_query( "INSERT INTO table (row) VALUES (". $_GET['value'] .")" );
You should always check parameters that can be accessed from outside of your scripts, so in your case making a new user, you would have to validate it in your new user function before you put it in your database.
It depends on how you are working. For example, if you were using the MVC pattern, the test should be done in the Controller (so not in the function you are using).
In your case you have to choose if you have to validate the data using a validation function (or maybe a method of a class) and then use the one you wrote to insert the data or to let this function to ensure them. I would suggest you the first solution so the "insert" function will achieve just one task.
Just to improve my answer, I suggest you to ensure the data at least for the SQL Injection and for the XSS (Cross Site Scripting).
/* define page path */
define("PAGE_DIR", "pages/");
if (file_exists(PAGE_DIR."$_GET[page].php")) include(PAGE_DIR."$_GET[page].php");
How safe is this? Could you for example include a page on another webserver if the page is in a folder called pages?
Thanks
This isn't safe at all - Think about what happens if $_GET[page] contains ../../../somewhere/else/
You should explicitly have a list of allowed pages.
Edit: I don't think it could include a file from a different server, but it's still not a good thing to be doing.
It's never good practice to pass unsanitized user input directly to a command, especially something like include(). You don't necessarily know how the underlying webserver/OS is going to handle, for example, relative paths, extended characters, etc. Any of these, used maliciously or otherwise, could result in the user seeing something they're not supposed to see.
One possible exploit: user passes in the relative path to a malicious script in a known location on the server. http://webserver/yourscript.php?page=%2e%2e%2f%2e%2e%2f%2e%2e%2fhome/bad_user/evil_script
which your function could translate to pages/../../../home/bad_user/evil_script.php, which include will happily include, sometimes. So your web page when served could very well execute bad_user's php script, which he could use to do all kinds of nasty stuff.
At the very least you should assign $_GET['path'] to a new variable and addslashes().
Doing anything with $_GET or $_POST prior to validating/sanitizing the data is dangerous. Assume that all users are out to get you, and sanitize the data prior to using it.