I'm familiarizing myself with Kohana. I've been reading up on the Input library, which automatically pre-filters GET and POST data for me, and the Validation libary, which helps with form filtering and validation.
Should I use both together? The examples given in the Validation library documentation use the unfiltered $_POST array instead of $this->input->post(). Seems to me it would be more secure to chain the two, but the two sets of documentation seem to make no mention of each other, so I don't know if this would be redundant or not.
The $_POST, $_GET, and $_COOKIE globals are pre-sanitized if global XSS filtering is turned on (it's on by default). That's one of the reasons why your code extends the Kohana classes, so that housekeeping stuff like input sanitization is taken care of for you. They encourage use of the input library methods, though, so there's no reason not to use them. They may just use $_POST in the validation examples because they want to explain the different libraries independent of one another.
Their code to instantiate a validation class should be:
$post = new Validation( $this->input->post() );
And yes, by all means use them together! It's all meant to fit together nicely.
Yes, use both of them together.
If you review the Input library, you'll see that if it is enabled (which is the default and can be disabled via changing $config['global_xss_filtering'] to FALSE, in config/config.php), then it modifies the $_POST, $_GET, $_SERVER, and $_COOKIE variables, so whether you access them through $this->input->get(), or $_GET, the values will both be filtered.
Related
I am writing a search function that enables users to search a particular table on my database. My website runs on CodeIgniter.
For the search function, I use $_GET instead of the CodeIgniter $this->input-get() since I had trouble using the latter within a helper function.
Now, here's a security question:
What is the best way to sanitize and filter malicious characters in the $_GET array in order to prevent XSS and SQL injection?
Bearing in mind that data in the $_GET array will be used to query the database and retrieve info from it.
Is there a recursive way to clean the entire $_GET array without having to go thru one by one element?
Should I use PHP's filter methods or CodeIgniter's?
Any advice will be greatly appreciated!
Thanks in advance!
Codeigniter disables $_GET by default. Using the URI class you can simulate $_GET variables:
GET parameters in the URL with CodeIgniter
You can hack around it and use $_GET, which it sounds like you've done. But I wouldn't recommend that. You should use CodeIgniter's Input class. That provides XSS filtering and you can clean the entire $_GET array by running:
$this->input->get(NULL, TRUE); // returns all GET items with XSS filter
If you use Codeigniter's database utility class to run your queries, it has an escape function built in. Look at the Escaping Queries section.
http://ellislab.com/codeigniter/user-guide/database/queries.html
You can use $this->db->escape($variable) to escape values in queries. It is strongly recommended to use CI's input class though.
Read more at : http://ellislab.com/codeigniter/user-guide/database/queries.html
There are many frameworks that will provide a helper object for dealing with these variables i.e. symfony has a sfRequest object that has a member function getParameter() that can get used to get $_POST and $_GET variables.
I'm wondering if Wordpress has something similar to this? I've seen this solution that seems to append the new variables to the query_vars action, however some articles mention it will only work with GET. I was unable to get this to work with a form using both $_POST and $_GET myself, and certainly wouldn't think this is ideal to use if you have many variables that can be passed this way.
Is using plain old $_REQUEST, $_POST and $_GET the standard way to do work with request variables in Wordpress? Or is there a better way (specifically using the functions provided by Wordpress, rather than other libraries) to handle this?
The closest thing I could find was the HTTP API, but that's only for sending requests. There's no wrapper class for dealing with such superglobals that's specific to WordPress.
I would like to check if there are blank embedded forms into my form, and delete the old ones from my database, and unset the new ones, so the validators don't consider them....
what I'm doing is to unset() the forms i don't want to consider,, but I was wondering if there is any better symfonian way to do it... I've seen the code of sfForm.class.php, but didn't find a method just the opposite to embbedForm()
Any ideas? do I have to use unset()?
Use it without worries.
Just like you did to unset form fields in the older symfony versions (fx unset($this['name']). Newer versions have introduced a method useFields($array), but you can still use the unset function. As you can see here here, you can use it to unset an array element. And symfony's sfForm implements ArrayAccess.
Is it ok to pass $_GET as a parameter of a constructor?
I'm guessing not but would like some constructive arguments that will hopefully raise the following please?
Best strategy for dealing with $_GET at the client
Security issues around $_GET
Thanks in advance for your interest.
Your question could use a little clarification, but if you're talking about an object constructor function __construct():
It wouldn't harm anything to pass $_GET to an object constructor, however it's unnecessary because the $_GET superglobal is already available to any class you create.
Subjectively, I tend not to access $_GET $_POST $_SESSION inside classes directly myself very often. Usually I'll pass in the array values from the superglobals that I'll actually be needing. This is strictly a personal preference though, because it's always looked weird to me to access them inside class methods. There's nothing wrong with doing it.
$_GET is a variable like any other, and can be used as such. You can pass it anywhere you would pass another variable.
Since $_GET contains user-provided data, you should always clean that data before performing operations on it. Escape the data before inserting it into a database or outputing it as HTML.
You could argue that one of the points of using OO programming and classes is encapsulation. By passing though a global parameter you don't break the arrangement, but you do compromise it slightly.
Technically there is no issue as long as you are assigning the values of the $_GET parameter within your constructor. If you're actually assigning a reference, or calling $_GET within your methods, you're leaving yourself open to the possibility of the functionality of your class being compromised by changes outside.
Of course. The data in $_GET is just like any other data. You just need to remember that data from the user can never be trusted.
If your classes are sanitizing data for use, generally this isn't an issue anyway. Just be extra cautious to avoid things such as SQL injections and XSS.
I've seen different comments all over the place, some say that zend framework automatically sanitizes post/get data but others say it doesn't.
What's the deal? I've seen that doing it in the predispatch with a foreach on getParams is the quickest way, but does anyone have any suggestions?
Probably the deal is about Zend_Controller_Request vs the Zend_Db. Request data are often put into the DB.
Request object does not escape anything. You may force it to do using filters, form filters or e.g. using the reflection technique described here:
Actions, now with parameters!
Zend_Db queries are basically escaped like in other ORM's, like in PDO.
It does not automatically sanitize any request data. It cannot, because that requires it to know how to sanitize it, e.g. should $_GET['foo'] be string sanitized or for numbers? You have to tell it.
Whether you sanitize input manually in the respective Controller Actions or in an ActionHelper or automatically in a Controller Plugin or during bootstrap or with a mixture of these is up to you.
Use what is appropriate.
It definitely doesn't automatically sanitise your variables for you. You could do something like foreach or use array_map depending on the context, for example:
$_POST = array_map('mysql_real_escape_string', $_POST);
Ideally though you should treat each variable on a case by case basis. Personally i make a lot of use of PHP's filter_var for filtering and sanitizing.