$$vars and security

i have developed my own "register globals" function that mimics the action
of register globals, but only for $_POST... i do this to ensure that all
incoming communication is escaped for use in scripts to account for, and to
avoid, SQL injection. below is the code... any suggestions would be welcome
to make this a more secure function for use to massage data going to MySQL:


====================================

function escape(){
while (list($key, $value) = each($_POST)) {
$value = trim(mysql_escape_string($value));
global $$key;
$$key = $value;
}
}

--- Phillip Jackson <tzmguitarist@hotmail.com> wrote:
> i have developed my own "register globals" function that mimics
> the action of register globals, but only for $_POST... i do this
> to ensure that all incoming communication is escaped for use in
> scripts to account for, and to avoid, SQL injection.

So, are you not worried about all of the other types of attacks?

Personally, I think this is a bad approach, regardless of how well it is
implemented. I think you will give yourself a false sense of security. In
addition, I think it is impossible to create secure data filtering rules
that can possibly apply to all types of data. It is much better to take
the time to create a validation algorithm for each distinct type of data
that you expect and to use a "whitelist" approach in your logic.

If you don't care what I think and want to take this approach anyway, you
might find this useful:

http://linux.duke.edu/projects/mini/htmlfilter/

Remember that there are two potential victims when poor data filtering is
applied: you and your users. Don't forget to protect one while worrying
about the other.

Hope that helps.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp

Phillip Jackson wrote:
>
> function escape(){
> while (list($key, $value) = each($_POST)) {
> $value = trim(mysql_escape_string($value));
> global $$key;
> $$key = $value;
> }
> }
>

1. The function does not detect if magic_quotes_gpc are on, post vars
would be double escaped then.

2. $value might be an array (<input name="var[]" ...>), the array would
be effectively destroyed.

great point about the array; to make the script more portable i will most
definitely detect magic quotes.


"Marek Kilimajer" <kilimajer@webglobe.sk> wrote in message
news:3FC31FC5.6020702@webglobe.sk...
> Phillip Jackson wrote:
> >
> > function escape(){
> > while (list($key, $value) = each($_POST)) {
> > $value = trim(mysql_escape_string($value));
> > global $$key;
> > $$key = $value;
> > }
> > }
> >
>
> 1. The function does not detect if magic_quotes_gpc are on, post vars
> would be double escaped then.
>
> 2. $value might be an array (<input name="var[]" ...>), the array would
> be effectively destroyed.

> Personally, I think this is a bad approach, regardless of how well it is
> implemented. I think you will give yourself a false sense of security.

what, then, do you yourself do in such an application requiring a response
from the user to massage the data? reject all input that doesn't conform to
your whitelist? i shall look into making this the vital part of the escape
function.

> Hope that helps.

most definitely - thank you for the quick response.

--- Phillip Jackson <tzmguitarist@hotmail.com> wrote:
> > Personally, I think this is a bad approach, regardless of how
> > well it is implemented. I think you will give yourself a false
> > sense of security.
>
> what, then, do you yourself do in such an application requiring a
> response from the user to massage the data? reject all input that
> doesn't conform to your whitelist?

Yes, that's it.

I know this may sound like a huge hassle compared to a nice
one-size-fits-all data filtering function, but I personally would never
rely on myself to be able to predict all of the different types of attacks
that people will come up with. There are many people who have as much
creativity as malice, and they are sure to come up with ways to exploit
holes in any blacklist approach I take.

So, when the user is submitting a name, for example, my approach would be
something like this:

Good Stuff: Alphabetic characters, hyphens, apostrophes, and spaces.
Bad Stuff: Everything else

The first time I used this code, I would probably log all of the bad
stuff, so that if I accidentally missed a valid character, I would add it
to my list of allowed characters. Over time, I would get it right, and I
would feel pretty confident that no bad guy could use a combination of
these characters to launch any sort of attack on my application.

Hope that helps.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp

Chris Shiflett wrote:
> Yes, that's it.
>
> I know this may sound like a huge hassle compared to a nice
> one-size-fits-all data filtering function, but I personally would never
> rely on myself to be able to predict all of the different types of attacks
> that people will come up with. There are many people who have as much
> creativity as malice, and they are sure to come up with ways to exploit
> holes in any blacklist approach I take.
>
> So, when the user is submitting a name, for example, my approach would be
> something like this:
>
> Good Stuff: Alphabetic characters, hyphens, apostrophes, and spaces.
> Bad Stuff: Everything else
>
> The first time I used this code, I would probably log all of the bad
> stuff, so that if I accidentally missed a valid character, I would add it
> to my list of allowed characters. Over time, I would get it right, and I
> would feel pretty confident that no bad guy could use a combination of
> these characters to launch any sort of attack on my application.

My personal opinion is not that strict. When you have a well defined way
to keep your scripts secure from malicious input, you are safe. The well
defined way is to escape and quote any string that is used in sql
queries, and htmlspecialchars to output untrused input.