I've seen different comments all over the place, some say that zend framework automatically sanitizes post/get data but others say it doesn't.
What's the deal? I've seen that doing it in the predispatch with a foreach on getParams is the quickest way, but does anyone have any suggestions?
Probably the deal is about Zend_Controller_Request vs the Zend_Db. Request data are often put into the DB.
Request object does not escape anything. You may force it to do using filters, form filters or e.g. using the reflection technique described here:
Actions, now with parameters!
Zend_Db queries are basically escaped like in other ORM's, like in PDO.
It does not automatically sanitize any request data. It cannot, because that requires it to know how to sanitize it, e.g. should $_GET['foo'] be string sanitized or for numbers? You have to tell it.
Whether you sanitize input manually in the respective Controller Actions or in an ActionHelper or automatically in a Controller Plugin or during bootstrap or with a mixture of these is up to you.
Use what is appropriate.
It definitely doesn't automatically sanitise your variables for you. You could do something like foreach or use array_map depending on the context, for example:
$_POST = array_map('mysql_real_escape_string', $_POST);
Ideally though you should treat each variable on a case by case basis. Personally i make a lot of use of PHP's filter_var for filtering and sanitizing.
Related
I am writing a search function that enables users to search a particular table on my database. My website runs on CodeIgniter.
For the search function, I use $_GET instead of the CodeIgniter $this->input-get() since I had trouble using the latter within a helper function.
Now, here's a security question:
What is the best way to sanitize and filter malicious characters in the $_GET array in order to prevent XSS and SQL injection?
Bearing in mind that data in the $_GET array will be used to query the database and retrieve info from it.
Is there a recursive way to clean the entire $_GET array without having to go thru one by one element?
Should I use PHP's filter methods or CodeIgniter's?
Any advice will be greatly appreciated!
Thanks in advance!
Codeigniter disables $_GET by default. Using the URI class you can simulate $_GET variables:
GET parameters in the URL with CodeIgniter
You can hack around it and use $_GET, which it sounds like you've done. But I wouldn't recommend that. You should use CodeIgniter's Input class. That provides XSS filtering and you can clean the entire $_GET array by running:
$this->input->get(NULL, TRUE); // returns all GET items with XSS filter
If you use Codeigniter's database utility class to run your queries, it has an escape function built in. Look at the Escaping Queries section.
http://ellislab.com/codeigniter/user-guide/database/queries.html
You can use $this->db->escape($variable) to escape values in queries. It is strongly recommended to use CI's input class though.
Read more at : http://ellislab.com/codeigniter/user-guide/database/queries.html
I am using codeigniter, and at the moment I am making full body search, and I am wondering what is the best practice to do this. For now I have this:
$keyword = $this->db->escape_like_str(trim($_POST['keyword']));
After that, search is performed. Is this safe or I need to do something more (XSS Filtering is on)?
Because you are accessing the _POST variable directly, you're bypassing all CI's XSS/Escaping and security features. You should be getting that as:
$this->input->post('keyword');
This is automatically escaped by CI, and you can perform other validations before just throwing it at the DB. Also if you use active record, then all values are automatically escaped as required too.
Is it ok to pass $_GET as a parameter of a constructor?
I'm guessing not but would like some constructive arguments that will hopefully raise the following please?
Best strategy for dealing with $_GET at the client
Security issues around $_GET
Thanks in advance for your interest.
Your question could use a little clarification, but if you're talking about an object constructor function __construct():
It wouldn't harm anything to pass $_GET to an object constructor, however it's unnecessary because the $_GET superglobal is already available to any class you create.
Subjectively, I tend not to access $_GET $_POST $_SESSION inside classes directly myself very often. Usually I'll pass in the array values from the superglobals that I'll actually be needing. This is strictly a personal preference though, because it's always looked weird to me to access them inside class methods. There's nothing wrong with doing it.
$_GET is a variable like any other, and can be used as such. You can pass it anywhere you would pass another variable.
Since $_GET contains user-provided data, you should always clean that data before performing operations on it. Escape the data before inserting it into a database or outputing it as HTML.
You could argue that one of the points of using OO programming and classes is encapsulation. By passing though a global parameter you don't break the arrangement, but you do compromise it slightly.
Technically there is no issue as long as you are assigning the values of the $_GET parameter within your constructor. If you're actually assigning a reference, or calling $_GET within your methods, you're leaving yourself open to the possibility of the functionality of your class being compromised by changes outside.
Of course. The data in $_GET is just like any other data. You just need to remember that data from the user can never be trusted.
If your classes are sanitizing data for use, generally this isn't an issue anyway. Just be extra cautious to avoid things such as SQL injections and XSS.
I've got (I hope) a very simple question for experts at MVC structure:
where to apply input filtering and validation? Controller or model?
I've read a lot of tutorials and manuals on filtering user input, but haven't noticed a lot of discussion where it should be applied. When using forms, it's simple, actually almost everything is done for you by Zend_Form via Zend_Filter and Zend_Validate.
But when I have to filter single value from user input and pass it to the model, what is the best practice, to do cleaning before passing it to the model, or in the model itself?
Lets assume I am creating a model, that other people will use too, and it is doing some important work on filesystem. Am I 100% sure other people will properly prepare parameters before passing it to the model? I am not, so the best would be cleaning parameters in the model itself.
But that's just my thoughts, and as I said before, I'd like to hear yours, right from the masters of the profession ;)
Nice day.
IMHO it depends on whether you know in advance the kind of validation you will have to do.
If it's something that could be expressed as a regex, leave it in the controller, otherwise I think the model should be its place.
Examples.
You have to validate an email address: controller, so the model can be passed some sanitized input and just take care of the actual processing.
You have to check whether a path in the filesystem exists: the controller will take care of seeing if it's a well-constructed path; the model will check if it actually exists in the filesystem in question.
You have to check whether an user-provided string $x can produce an hash $y you stored somewhere: model.
I would say in the controller. My understanding is that models should be constructed under the assumption that they are being given valid data to work with (but with sensible precautions in place in case they're not, such as using prepared statements for database access), and leaving the actual validation of data to an outside agent, in this case the controller.
Typically you do it in the controller. Model should be dealing with legit, usable data.
I'm familiarizing myself with Kohana. I've been reading up on the Input library, which automatically pre-filters GET and POST data for me, and the Validation libary, which helps with form filtering and validation.
Should I use both together? The examples given in the Validation library documentation use the unfiltered $_POST array instead of $this->input->post(). Seems to me it would be more secure to chain the two, but the two sets of documentation seem to make no mention of each other, so I don't know if this would be redundant or not.
The $_POST, $_GET, and $_COOKIE globals are pre-sanitized if global XSS filtering is turned on (it's on by default). That's one of the reasons why your code extends the Kohana classes, so that housekeeping stuff like input sanitization is taken care of for you. They encourage use of the input library methods, though, so there's no reason not to use them. They may just use $_POST in the validation examples because they want to explain the different libraries independent of one another.
Their code to instantiate a validation class should be:
$post = new Validation( $this->input->post() );
And yes, by all means use them together! It's all meant to fit together nicely.
Yes, use both of them together.
If you review the Input library, you'll see that if it is enabled (which is the default and can be disabled via changing $config['global_xss_filtering'] to FALSE, in config/config.php), then it modifies the $_POST, $_GET, $_SERVER, and $_COOKIE variables, so whether you access them through $this->input->get(), or $_GET, the values will both be filtered.