appdb security
EA Durbin
ead1234 at hotmail.com
Thu Jun 8 17:38:00 CDT 2006
It will be a large undertaking, but I'll help change this across the board.
I'm going out of town for the next 2 days and won't be near my computer, but
I can start on it when I get back.
>From: Chris Morgan <cmorgan at alum.wpi.edu>
>To: wine-devel at winehq.org, EA Durbin <ead1234 at hotmail.com>
>Subject: Re: appdb security
>Date: Thu, 8 Jun 2006 16:40:55 -0400
>
>Alright. I'm sold on having to check all user input. We should make this
>input checking change across the board if you are up for it.
>
>$clean = array(); //array of filtered user input
>+
>+$clean['catId'] = makeSafe( $_REQUEST['catId'] );
>
> function admin_menu()
> {
>- if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId'];
>- else $catId="";
>+ $clean['catId'] = makeSafe( $_REQUEST['catId'] );
>+ if ( empty($clean['catId']) )
>+ {
>+ $clean['catId']="";
>+ }
>
>
>Is there a reason why we don't do the if(empty()) check inside of
>makeSafe()?
>
>Chris
>
>
>On Thursday 08 June 2006 1:40 pm, EA Durbin wrote:
> > I always use the method of filtering user input as described at the php
> > security consortium. It makes it easier to track tainted user input vs
> > filtered input. If all filtered variables are put in an array it makes
>it
> > easier to ensure you're using the non tainted variable.
> >
> > http://phpsec.org/projects/guide/1.html#1.4
> >
> > Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL
> > filtering.
> >
> > >From: Jonathan Ernst <jonathan at ernstfamily.ch>
> > >To: wine-devel at winehq.com
> > >Subject: Re: appdb security
> > >Date: Thu, 08 Jun 2006 18:12:20 +0200
> > >
> > >Le jeudi 08 juin 2006 أ 11:42 -0400, Chris Morgan a أ�crit :
> > > > Can you come up with a non-destructive working example for the appdb
> > > > website(appdb.winehq.org)? ;-)
> > > >
> > > > I ask because I thought we went through this some time ago but I
>agree
> > >
> > >that
> > >
> > > > what you say looks like an open issue.
> > > >
> > > > Chris
> > >
> > >Lately I used the following snippet in all my webapps to secure them
> > >against sql injection :
> > >
> > >http://php.net/mysql_real_escape_string under "Best practice".
> > >
> > ><?php
> > >function smart_quote($value)
> > >{
> > > // Stripslashes
> > > if (get_magic_quotes_gpc()) {
> > > $value = stripslashes($value);
> > > }
> > > // Protect it if it's not an integer
> > > if (!is_numeric($value)) {
> > > $value = "'" . mysql_real_escape_string($value) . "'";
> > > }
> > > return $value;
> > >}
> > >
> > >// Secure query
> > >$sQuery = sprintf("SELECT *
> > > FROM users
> > > WHERE user=%s AND password=%s",
> > > smart_quote($_POST['username']),
> > > smart_quote($_POST['password']));
> > >mysql_query($query);
> > >?>
> > >
> > >I think it is better than what we have now in AppDB (didn't check it
> > >though). If nobody looks at it, I'll check the code after my master
> > >thesis (in one month).
> > >
> > >Jonathan
> > >
> > >
> > ><< signature.asc >>
More information about the wine-devel
mailing list