appdb security

EA Durbin ead1234 at hotmail.com
Thu Jun 8 17:38:00 CDT 2006 

It will be  a large undertaking, but I'll help change this across the board. 
I'm going out of town for the next 2 days and won't be near my computer, but 
I can start on it when I get back.

>From: Chris Morgan <cmorgan at alum.wpi.edu>
>To: wine-devel at winehq.org, EA Durbin <ead1234 at hotmail.com>
>Subject: Re: appdb security
>Date: Thu, 8 Jun 2006 16:40:55 -0400
>
>Alright.  I'm sold on having to check all user input.  We should make this
>input checking change across the board if you are up for it.
>
>$clean = array(); //array of filtered user input
>+
>+$clean['catId'] = makeSafe( $_REQUEST['catId'] );
>
>  function admin_menu()
>  {
>-    if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId'];
>-    else $catId="";
>+    $clean['catId'] = makeSafe( $_REQUEST['catId'] );
>+    if ( empty($clean['catId']) )
>+    {
>+        $clean['catId']="";
>+    }
>
>
>Is there a reason why we don't do the if(empty()) check inside of 
>makeSafe()?
>
>Chris
>
>
>On Thursday 08 June 2006 1:40 pm, EA Durbin wrote:
> > I always use the method of filtering user input as described at the php
> > security consortium. It makes it easier to track tainted user input vs
> > filtered input. If all filtered variables are put in an array it makes 
>it
> > easier to ensure you're using the non tainted variable.
> >
> > http://phpsec.org/projects/guide/1.html#1.4
> >
> > Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL
> > filtering.
> >
> > >From: Jonathan Ernst <jonathan at ernstfamily.ch>
> > >To: wine-devel at winehq.com
> > >Subject: Re: appdb security
> > >Date: Thu, 08 Jun 2006 18:12:20 +0200
> > >
> > >Le jeudi 08 juin 2006 أ  11:42 -0400, Chris Morgan a أ�crit :
> > > > Can you come up with a non-destructive working example for the appdb
> > > > website(appdb.winehq.org)? ;-)
> > > >
> > > > I ask because I thought we went through this some time ago but I 
>agree
> > >
> > >that
> > >
> > > > what you say looks like an open issue.
> > > >
> > > > Chris
> > >
> > >Lately I used the following snippet in all my webapps to secure them
> > >against sql injection :
> > >
> > >http://php.net/mysql_real_escape_string under "Best practice".
> > >
> > ><?php
> > >function smart_quote($value)
> > >{
> > >    // Stripslashes
> > >    if (get_magic_quotes_gpc()) {
> > >      $value = stripslashes($value);
> > >    }
> > >    // Protect it if it's not an integer
> > >    if (!is_numeric($value)) {
> > >      $value = "'" . mysql_real_escape_string($value) . "'";
> > >    }
> > >    return $value;
> > >}
> > >
> > >// Secure query
> > >$sQuery = sprintf("SELECT *
> > >                    FROM users
> > >                    WHERE user=%s AND password=%s",
> > >                    smart_quote($_POST['username']),
> > >                    smart_quote($_POST['password']));
> > >mysql_query($query);
> > >?>
> > >
> > >I think it is better than what we have now in AppDB (didn't check it
> > >though). If nobody looks at it, I'll check the code after my master
> > >thesis (in one month).
> > >
> > >Jonathan
> > >
> > >
> > ><< signature.asc >>

More information about the wine-devel mailing list