I have the following constructor:
public function __construct(){
foreach($_GET as $key=>$value){
$_GET[$key] = addslashes($value);
}
$this->get = $_GET;
}
and it's used like so:
$app->get['id']
Where 'id' is the parameter being passed through the URL.Is there a good way to sanitize all the data through the constructor?
A slightly shorter way to do this:
public function __construct(){
$this->get = array_map('mysql_real_escape_string', $_GET);
}
Why are you doing this? To prevent SQL injection?
Preventing injection should be done at the query-building level, and should most definitely be done with a more relevant function like mysql_real_escape_string, which will catch all odd cases, not just quotes. What you are doing here is no better than the infamous magic quotes functionality that has since been removed from PHP.
If you know the type of variable you're expecting you could cast it to the desired type such as
$this->id = (int)$app->get['id']; //forces type to be integer
Related
I'm asking this question because I'm still not quite sure if filter $_GET variable is enough to prevent mysql injection, so at first I have a filter function
function filter_url($url)
{
if (is_array($url))
{
foreach ($url as $key => $value)
{
// recurssion
$url[$key] = filter_url($value);
}
return $url;
}
else
{
// remove everything except for a-ZA-Z0-9_.-&=
$url = preg_replace('/[^a-zA-Z0-9_\.\-&=]/', '', $url);
return $url;
}
}
I have $_GET=filter_url($_GET); everytime before I call
$filter_case =isset($_GET['product_ID'])?"and product_ID={$_GET['product_ID']}":"";
Do I need to do $mysqli->real_escape_string($_GET['product_ID']) ? If I still have to imply it, what kind of sql injection will overpass my query method?
Besides, is it important to do $mysqli->real_escape_string($_SESSION['member_ID']) that I'm thinking of is anyone possible to manipulate his $_SESSION variable?
This is essentially wrong question to ask.
You need $mysqli->real_escape_string when adding a string literal into SQL query. In such a case you need this function regardless of whatever string source or validation. In any other case (ie string goes not in query or not as SQL string) this function going to be absolutely useless.
This is why it is essential to use prepared statements, either native or emulated.
I've tried the code below but it seems the javascript is run before the http request is sent to the server.
thanks
<?php
class secure
{
function secureSuperGlobalGET(&$value, $key)
{
$_GET[$key] = htmlspecialchars(stripslashes($_GET[$key]));
$_GET[$key] = str_ireplace("script", "blocked", $_GET[$key]);
$_GET[$key] = mysql_escape_string($_GET[$key]);
return $_GET[$key];
}
function secureSuperGlobalPOST(&$value, $key)
{
$_POST[$key] = htmlspecialchars(stripslashes($_POST[$key]));
$_POST[$key] = str_ireplace("script", "blocked", $_POST[$key]);
$_POST[$key] = mysql_escape_string($_POST[$key]);
return $_POST[$key];
}
function secureGlobals()
{
echo "in here";
array_walk($_GET, array($this, 'secureSuperGlobalGET'));
array_walk($_POST, array($this, 'secureSuperGlobalPOST'));
}
}
?>
get rid of your class "secure"
use mysql_[real_]escape_string only for the value that is gong into SQL query as a quoted string
whatever else SQL parts have to be formatted according to their role.
Format SQL parts right before assembling the query, not anywhere else.
or better use placeholders for this
Finally, to answer your question: use htmlspecialchars() on user-submitted values when echoing them out.
If the Javascript is run before the code returns to the server, than this is most likely some form of DOM Based XSS. The Javascript may be pulling the value of /"><script>alert(1)</script> and placing it directly into the DOM. You may have to change the way this is handled on the client side.
OWASP has a fantastic overview on how to defend against DOM based cross-site scripting attacks, such as these, here: https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
$_POST = mysql_real_escape_string($_POST);
By executing this statement, does each post value now get escaped via mysql_real_escape_string?
No. That won't work at all: $_POST is an array: mysql_real_escape_string needs a string as its first argument. You can, however, achieve what you want with array_map:
$_POST = array_map('mysql_real_escape_string', $_POST);
Or array_walk_recursive as array_map does not work on array post values:
array_walk_recursive($_POST, function(&$v, $k) {$v = mysql_real_escape_string($v);});
Better, however, would be to use paramaterised queries: this is by far the most secure way to avoid SQL injection. Not only does the above option do needless escaping (for instance, members of the $_POST array that don't need to be inserted into the database), it also makes it harder to use the data in other contexts, e.g. returning them to the browser in some way.
No, but you can use array_walk()Docs or array_walk_recursive()Docs to achieve that, as mysql_real_escape_string()Docs requires a string (go figure...) as input, and you're passing it an array instead.
With this, you pass each array element the same callback function:
array_walk_recursive($_POST, 'escape');
escape($k,$v)
{
return mysql_real_escape_string($v);
}
But it's better to treat each value accordingly, for ex. casting an INT to INT, etc., or better yet, use parametrized queries.
Since $_POST is an array, this will going to give you an error.
link: http://php.net/manual/en/function.mysql-real-escape-string.php
$escapedPost = array_map(array($this, 'recursive_escape'), $_POST);
/**
* recursively escape an array containing strings and/or arrays
*/
function recursive_escape($value) {
if (is_array($value)) {
array_map(array($this, 'recursive_escape'), $value);
} else {
$value = mysql_real_escape_string($value);
}
return $value;
}
I'd like to use a variable like $GET[name] that always outputs a MySQL-safe version of $_GET[name], even if the value of $GET[name] changes somewhere in the script.
So:
$_GET[name] = "Timmy O'Toole";
echo $GET[name]; // Timmy O\'Toole
$_GET[name] = "Tommy O'Toole";
echo $GET[name]; // Tommy O\'Toole
Is this doable? If not, can you think of any other way that might work that doesn't involve an actual function call? (I'd like to be able to use the variables inside strings and have them automatically evaluate, rather than having to do a whole lot of concatenation.)
Update:
I used a version of mario's solution, and it seems to work:
// Assume $_REQUEST['name'] = "Timmy O'Toole";
class request_safe_vars IMPLEMENTS ArrayAccess {
var $array = array();
function offsetGet($varname) {
return mysql_real_escape_string($_REQUEST[$varname]);
}
function offsetSet($name, $value) { }
function offsetUnset($name) { }
function offsetExists($name) { }
}
$REQUEST = new request_safe_vars();
$_REQUEST['name'] = $_REQUEST['name'].' MODIFIED';
$query = "SELECT id FROM user WHERE name = '{$REQUEST['name']}'";
// Query output:
// SELECT id FROM user WHERE name = 'Timmy O\'Toole MODIFIED'
You don't want to do this.
Rather, the thing you're trying to do -- ensure that the database gets only sane values -- is correct, but the way you're going about it is a bad approach.
Instead of escaping all input as it comes in, you should escape it when you use it by choosing a database adapter that has this functionality built in. PDO is a great example of such a database adapter. PDO uses prepared statements and parameter binding to automatically escape and quote input. Here's an example that binds placeholders at execution time:
$statement = $pdo->prepare('SELECT id FROM users WHERE name = ?');
$statement->execute(array( $_GET['name'] ));
if($statement->rowCount() > 0) {
echo "I found you!";
} else {
echo "You don't exist. :(";
}
Prepared statements with placeholders and binding is the most sane and safe way to ensure that SQL is safe from attack.
That's doable with an object that implements ArrayAccess. By turning $GET into an object you can have a magic offsetSet and offsetGet method which can accomplish this.
class safe_vars IMPLEMENTS ArrayAccess {
var $array = array();
function offsetGet($varname) {
return mysql_real_escape_string($this->array[$varname]);
}
function offsetSet($name, $value) {
$this->array[$name] = $value;
}
function offsetUnset($name) { }
function offsetExists($name) { }
}
This is how you would use it:
$GET = new safe_vars();
$GET["name"] = "Timmy O'Toole";
echo $GET["name"]; // Timmy O\'Toole
I actually have something similar (but never implemented the set part) which specifically works on $_GET (as listed in your question). http://sourceforge.net/p/php7framework/svn/60/tree/trunk/php7/input.php?force=True - It can be configured to apply the sql filter per default for example. Though that approach feels a bit like magic_quotes even if it uses the correct escaping function.
First off, put quotes around 'name' unless you purposely define it as a constant.
Another suggestion would be to use a DB wrapper class such as PDO, mysqli, or your own, and use prepared statements and have the input escaped for you. This has the benefit of escaping data at the last possible time, which is optimal. Either that or you can create a very simple wrapper function, e.g.
function get($key) {
return isset($_GET[$key]) : mysql_real_escape_string($_GET[$key]) : null;
}
The problem with defining a class (unless you use it only statically) is that this strips $_GET of its superglobal status and you are forced to use either globals (evil) or pass all get arguments to local closures.
Anyone has an idea if this is at all possible with PHP?
function foo($var) {
// the code here should output the value of the variable
// and the name the variable has when calling this function
}
$hello = "World";
foo($hello);
Would give me this output
varName = $hello
varValue = World
EDIT
Since most people here 'accuse' me of bad practices and global variables stuff i'm going to elaborate a little further on why we are looking for this behaviour.
the reason we are looking at this kind of behaviour is that we want to make assigning variables to our Views easier.
Most of the time we are doing this to assign variables to our view
$this->view->assign('products', $products);
$this->view->assign('members', $members);
While it would be easier and more readable to just be able to do the following and let the view be responsible to determining the variable name the assigned data gets in our views.
$this->view->assign($products);
$this->view->assign($members);
Short answer: impossible.
Long answer: you could dig through apd, bytekit, runkit, the Reflection API and debug_backtrace to see if any obscure combination would allow you to achieve this behavior.
However, the easiest way is to simply pass the variable name along with the actual variable, like you already do. It's short, it's easy to grasp, it's flexible when you need the variable to have a different name and it is way faster than any possible code that might be able to achieve the other desired behavior.
Keep it simple
removed irrelevant parts after OP edited the question
Regardless of my doubt that this is even possible, I think that forcing a programmer on how to name his variables is generally a bad idea. You will have to answer questions like
Why can't I name my variable $arrProducts instead of $products ?
You would also get into serious trouble if you want to put the return value of a function into the view. Imagine the following code in which (for whatever reason) the category needs to be lowercase:
$this->view->assign(strtolower($category));
This would not work with what you're planning.
My answer therefore: Stick to the 'verbose' way you're working, it is a lot easier to read and maintain.
If you can't live with that, you could still add a magic function to the view:
public function __set($name, $value) {
$this->assign($name, $value);
}
Then you can write
$this->view->product = $product;
I don't think there is any language where this is possible. That's simply not how variables work. There is a difference between a variable and the value it holds. Inside the function foo, you have the value, but the variable that held the value is not available. Instead, you have a new variable $var to hold that value.
Look at it like this: a variable is like a bucket with a name on it. The content (value) of the variable is what's inside the bucket. When you call a function, it comes with its own buckets (parameter names), and you pour the content of your bucket into those (well, the metaphor breaks down here because the value is copied and still available outside). Inside the function, there is no way to know about the bucket that used to hold the content.
What you're asking isn't possible. Even if it was, it would likely be considered bad practice as its the sort of thing that could easily get exploited.
If you're determined to achieve something like this, the closest you can get would be to pass the variable name as a string and reference it in the function from the $GLOBALS array.
eg
function this_aint_a_good_idea_really($var) {
print "Variable name: {$var}\n";
print "Variable contents: {$GLOBALS[$var]}\n";
}
$hello="World";
this_aint_a_good_idea_really('hello');
But as I say, that isn't really a good idea, nor is it very useful. (Frankly, almost any time you resort to using global variables, you're probably doing something wrong)
Its not impossible, you can find where a function was invoked from debug_backtrace() then tokenize a copy of the running script to extract the parameter expressions (what if the calling line is foo("hello $user, " . $indirect($user,5))?),
however whatever reason you have for trying to achieve this - its the wrong reason.
C.
Okay, time for some ugly hacks, but this is what I've got so far, I'll try to work on it a little later
<?php
class foo
{
//Public so we can test it later
public $bar;
function foo()
{
//Init the array
$this->bar = array();
}
function assign($__baz)
{
//Try to figure out the context
$context = debug_backtrace();
//assign the local array with the name and the value
//Alternately you can initialize the variable localy
//using $$__baz = $context[1]['object']->$__baz;
$this->bar[$__baz] = $context[1]['object']->$__baz;
}
}
//We need to have a calling context of a class in order for this to work
class a
{
function a()
{
}
function foobar()
{
$s = "testing";
$w = new foo();
//Reassign local variables to the class
foreach(get_defined_vars() as $name => $val)
{
$this->$name = $val;
}
//Assign the variable
$w->assign('s');
//test it
echo $w->bar['s'];
}
}
//Testrun
$a = new a();
$a->foobar();
impossible - the max. ammount of information you can get is what you see when dumping
debug_backtrace();
Maybe what you want to do is the other way around, a hackish solution like this works fine:
<?php
function assign($val)
{
global $$val;
echo $$val;
}
$hello = "Some value";
assign('hello');
Ouputs: Some value
What you wish to do, PHP does not intend for. There is no conventional way to accomplish this. In fact, only quite extravagant solutions are available. One that remains as close to PHP as I can think of is creating a new class.
You could call it NamedVariable, or something, and as its constructor it takes the variable name and the value. You'd initiate it as $products = new NamedVariable('products', $productData); then use it as $this->view->assign($products);. Of course, your declaration line is now quite long, you're involving yet another - and quite obscure - class into your code base, and now the assign method has to know about NamedVariable to extract both the variable name and value.
As most other members have answered, you are better off suffering through this slight lack of syntactic sugar. Mind you, another approach would be to create a script that recognizes instances of assign()'s and rewrites the source code. This would now involve some extra step before you ran your code, though, and for PHP that's silly. You might even configure your IDE to automatically populate the assign()'s. Whatever you choose, PHP natively intends no solution.
This solution uses the GLOBALS variable. To solve scope issues, the variable is passed by reference, and the value modified to be unique.
function get_var_name(&$var, $scope=FALSE) {
if($scope) $vals = $scope;
else $vals = $GLOBALS;
$old = $var;
$var = $new = 'unique'.rand().'value';
$vname = FALSE;
foreach ($vals as $key => $val) {
if($val === $new) $vname = $key;
}
$var = $old;
return $vname;
}
$testvar = "name";
echo get_var_name($testvar); // "testvar"
function testfunction() {
$var_in_function = "variable value";
return get_var_name($var_in_function, get_defined_vars());
}
echo testfunction(); // "var_in_function"
class testclass {
public $testproperty;
public function __constructor() {
$this->testproperty = "property value";
}
}
$testobj = new testclass();
echo get_var_name($testobj->testproperty, $testobj); // "testproperty"