[PHP] Secure your data

[jayfella]

so in your XSS example, your ensuring everything is HtmlEncoded?

Forgive me for my ignorance, but why are these not hard-implemented? Is there any given situation where you wound want these functionalities?

[litewarez]

Because some systems especially BBCODE, use there raw entities to convert to valid html i/e a bbcode B tag to be converted into <strong> html tag, the bbcode system will parse the submitted post then extract all allowed tags from the post, then turn all the remaining into its entities then add the converted code back to the post, this way it does not produce messed up bbcode.

Thats the best example i can give you.

[Mr Happy]

It depends on what I'm coding. If it's just a small simple thing I'll do it like el_j above but if it's a fairly big script with a few pages and tables I'll use something like Litewarez. It's far less coding and work in the long run to just clean everything at the start.

If I'm super paranoid like an admin area I do like to do stuff like eg. replace example.com?go=delete with example?go=3 and example.com?go=reply with example.com?go=4 etc.
And then make sure it's an integer. Same thing for $_POST. Basically I try and make every transfered variable a number. It also confuses people a bit too which all helps.
Interested to know people's thought's on this.

[litewarez]

Mr Happy, i dont really think using integers is a great advantage apart from sanitization i.e typecasting your can lose yourself in your code if your getting into the 100+ actions, this i would keep with reply,edit,delete what i tend to do is to develop a MVC Framework and create a sort of REST system so:

Instead of topic.php?mode=reply&id=22 i would do

/topic/reply/22/

this way you only have to sanitize the topic/reply values so that they only allowed to be called IF the function exists within the topic class, this gives better security then within the reply method i just intergize the 3rd param.

This gives alot more structure and security to your code.

[jayfella]

hmm

But wouldnt having to decode be a better option than having to encode? I mean, everything is encoded whether you like it or not in the interest of security, and if you dont like it, decode it.

Just seems far more logical to me..

[litewarez]

i also think the mojor reason for leaving the entities down to the end user is to allow the user to have more control over its code.

personally i think its good that its not auto-encoded because users then learn about html entities, and characters codes, this is an important part of web-development and personally i dont expect PHP Dev team to do all my work for me!

[el_jentel1]

I agree with litewarez, in a way, PHP has made sure to provide encoding and escaping functions, so they are doing it, just not directly.

I don't really think it's just about giving control, PHP language, like I always say, is almost becoming a noob friendly language, which is great, means anyone can learn it fast.

If you implement the things mentioned in the article (or other methods) into functions or classes it'll definitely save you a lot of time, but first you need to make sure how to handle functions and classes, and what to add in there, this way you don't end up escaping or encoding the wrong characters, which will render the function useless.

The most common "hacks" are SQL injection and HTML injection. Never really saw much reports about system/shell injection, but thought I'd include it anyway.

I still say, for direct small inputs, regex is the man.

The other good thing about not having everything encoded automatically is if you're saving that data into a database, you don't really need to encode all characters if you code a strong script.

With direct input, it'll save you space, instead of &quot; or &amp; the decoded version will be inserted, if you consider a large database, that will save you a lot of bytes and bits "ie: &amp; vs &".

It's much better than the early days, when using base_64 to encode data then store in database was a standard, which increased data by 30-40%.

[DLow]

@ el_jentel1

Thank you for posting that very detailed information, Even knowing as much as i do when it comes up PHP their is always more to learn really appreciate to have an admin around that actually devotes their knowledge to their forum