arek (at) chelmnet (dot) pl [email concealed] wrote:
> Good Night (here in Poland)
>
>>Good Morning (at least here in Nevada)
>
>
>>Anyone have any hints for good PHP practices (Looking for kind of a "This
>>is one of the most common PHP security flaws" kind of thing)?
>
> Firstly , the easiest way to enable the following lines for every .php
> script, or into master index.php :
>
>
> foreach ($_GET as $k => $v) {
> $_GET[$k]=addslashes($_GET[$k]);
> $v=addslashes($v);
> $v=ereg_replace(';','',$v);
> eval(" \$$k = \"$v\" ;");
> }
> foreach ($_POST as $k => $v) {
> $_POST[$k]=addslashes($_POST[$k]);
> $v=addslashes($v);
> $v=ereg_replace(';','',$v);
> eval(" \$$k = \"$v\" ;");
> }

1. This is esentially what magic-quotes does
http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc
If your server doesn't have this enabled, you can enable it with
.htaccess for your webarea only.
2. Using ereg_replace for simple string substitution is rather
inefficient. Use str_replace()
3. eval is also inefficient, all the time you can use $_GET[$k] = $v;
4. At least with mySQL it's not possible to pass multiple chained
queries in one mysql_query() call. It is however possible to use f.ex --
to comment out the rest of the query, or in more sophisticated RDBMS,
use subqueries. $v=ereg_replace(';','',$v); is therefor inadequate, and
probably doesn't do anything to enhance security.

General filtering like that, is often inadequate, and you probably need
to do more work. F.ex if it's a numeric value you are inserting into the
database, check that it is_numeric();
Escape string values with mysql_escape_string() (or equivilant for other
RDBMS, f.ex pg_escape_string())

Tommy Gildseth

[ reply ]