Security in scripts, post/get?

[Grudge]

I was wondering what security precautions you would say *have* to be in a script by default? I'm talking mainly about $_GET and $_POST.

In a script I'm writing $_GET is *only* used to pass an action to the script, or to pass ID's which are then *always* cast to int's, and then inserted into the database. No strings etc are ever inserted via $_GET.

magic_quotes_runtime is switched off and $_GET is loaded from:
parse_str($_SERVER['QUERY_STRING'], $_GET);

Nothing is done to $_POST apart from the addslashes to all its members.

$_POST and $_GET are then recombined to make $_REQUEST.

Is there anything else from a security point of view that I should be considering with this? The only other thing I tend to do is htmlspecialchar anything likely to have a HTML code in it before I insert it into the database.

I'd like some help just because I'm not too experienced at handling the security of a script as in SMF this was already written when I joined

[[Unknown]]

The idea is to make sure people can't put 's in by GET or POST.

POST is only a little harder (and by little I do mean LITTLE) to fake than GET is.

-[Unknown]

[Grudge]

So addslashing $_POST should be fine for this I assume as it will obviously escape them. Should it do the same for $_GET too? In my case I guess this isn't necessary as I won't be using the querystring for anything other than integers - although it would certainly help. Maybe in my querystring cleaning function I could do:

Code Select Expand


parse_str($_SERVER['QUERY_STRING'], $_GET);
foreach ($_GET as $key => $value)
  if ($key != 'action')
    $_GET[$key] = (int) $value;

That would make it impossible for any SQL injections via the $_GET string, and addslashing $_POST should protect that. I guess the only other possible exploit could be if I ever unhtmlspecialchar on $_POST and someone put the HTML code for ' in?

[[Unknown]]

Yes, that's why SMF doesn't un_htmlspecialchars things that go into the database.

-[Unknown]

[Parham]

plop this in a .htaccess file in the same dir as your scripts and it should do half of your security:

Code Select Expand


php_value magic_quotes_gpc "1"
php_value register_globals "0"


[[Unknown]]

plop this in a .htaccess file in the same dir as your scripts and it should do half of your security:

Code Select Expand


php_value magic_quotes_gpc "1"
php_value register_globals "0"


Won't work on IIS and should not be depended upon.  May also cause "500 INTERNAL SERVER ERRORS" on clients who do not have access to set php.ini directives by .htaccess.

-[Unknown]

[Parham]

plop this in a .htaccess file in the same dir as your scripts and it should do half of your security:

Code Select Expand


php_value magic_quotes_gpc "1"
php_value register_globals "0"


Won't work on IIS and should not be depended upon. May also cause "500 INTERNAL SERVER ERRORS" on clients who do not have access to set php.ini directives by .htaccess.

-[Unknown]

if you have permission that is.  check if they work inside your php script by doing a simple test with the functions get_magic_quotes_gpc() and try to get a $_POST/$_GET var.  Or use this:

Code Select Expand


<?php
$inis = ini_get_all();

print_r($inis);

?>

to see if .htaccess set them to what you want them to be.

[Grudge]

Thanks Parham, but my scripts I'm working on are designed to be distributed and I wouldn't want to rely on another file being present even if it were part of the distro. Basically I want the PHP file itself to handle any server config on its own securely, I can't rely on someone not uploading a htaccess file, but cheers anyway. Think I'm happy now that I've covered all my bases!

[Parham]

oh i'm sorry, i thought these were just for regular use... my mistake

[Ardenn]

I understand that there is some concern for security in a PHP/MySQL environment, but as a relatively new person to PHP, I dont quite understand all the issues.  So I hope you guys might be able to break down what your saying a little bit:

When you say,

In a script I'm writing $_GET is *only* used to pass an action to the script, or to pass ID's which are then *always* cast to int's

What do you mean only using to pass actions and ID's ?  and that the ID's are always cast to int's?  Could you demonstrate with some sample code so I understand that you mean by this?  At the moment, I think you are talking about using a form with a variable named action and that your using $_GET['action'] to pass the variable.  I dont have a clue what you are talking about in reference to ID's and int's.

Additionally,  why do you turn  magic_quotes off?  Doesnt it do the same thing as addslashes() but automatically? Also, Im not quite sure what your code is doing.

Code Select Expand

parse_str($_SERVER['QUERY_STRING'], $_GET);

Remember im a PHP newb so forgive me my ignorance. but doesnt $_REQUEST just retrieve to same data as a $_POST or a $_GET anyway?  What are you talking about by recombining them into request?

[[Unknown]]

Casting:

$int = (int) $int;

So, if I did this:

$int = (int) 'HACKER TEXT';
echo $int; // 0

Well, magic_quotes_runtime is annoying and adds slashes to everything.  The gpc one is much more useful, but you have to do it manually if it's off.

He means he's cleaning them, and then refilling $_REQUEST with the cleaned ones.

-[Unknown]

[Parham]

Remember im a PHP newb so forgive me my ignorance. but doesnt $_REQUEST just retrieve to same data as a $_POST or a $_GET anyway? What are you talking about by recombining them into request?

it also contains $_COOKIE information which some people (like me) don't like.