add security docs per #5, add dev process with no ssl per #6, sort en…

…um/drop down per #7, prep 1.3 release
Packet-Clearing-House · Apr 11, 2017 · b1920a3 · b1920a3
1 parent 2187e66
commit b1920a3
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -5,13 +5,23 @@ more complicated than tableManager.  If you're looking for a framework to easily
 Read, Update and Delete (C.R.U.D.) rows from a MySQL database using a PHP server and a web front end, this 
 tool is what you've always been looking for.
 
-For version 1.0, tableManager niavely assumes that each table has a single field primary key.  As well, 
+For version 1.3, tableManager niavely assumes that each table has a single field primary key.  As well, 
 while it use [PDO](http://php.net/manual/en/pdo.installation.php),  it is untested on anything but MySQL. 
 Finally, for the best user experience, I recommend using all of the libraries in the optional section below 
 (stupidtable, formvalidation.io and bootstrap).
 
-tableManager uses extensive protection to ensure there's no MySQL injection vectors through this library. As
-well, it uses high entropy nonces to protect against cross site request forgery.
+
+### Security
+
+tableManager uses extensive protection to ensure there's no MySQL injection vectors through this library. It protects against cross site request forgery. All cookies are written to be SSL only and are http only. Finally, all output us cleansed to ensure there's no cross site scripting vectors.
+
+To cite OWASP, tableManager does the following:
+
+* [Sanitize database output](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job)
+* [Query Parameterization](https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet)
+* [Secure Cookies](https://www.owasp.org/index.php/SecureFlag)
+* [HTTP Only Cookies](https://www.owasp.org/index.php/HttpOnly)
+* [Anti-CSRF Nonces](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)
 
 ## Requirements
 *  MySQL 5.02 or greater for [INFORMATION_SCHEMA](https://dev.mysql.com/doc/refman/5.7/en/information-schema.html)  support
@@ -105,8 +115,26 @@ if ($_POST[$action] == 'delete') {
 }
 ```
 
+## Development
+
+Pull requests are always welcome! 
+
+Please ensure your code has no warnings in the error log.  Also, do as I do, which is: 
+
+1. ``cd``ing into the ``examples`` directory 
+1. running a web server via ``php -S  localhost:8000``
+1. cut a new branch for my changes
+1. edit ``tableManager.php`` and ensure there's a working example which tests my change
+1. update readme.md if needed
+1. opening a pull request for my change
+1. code review/QA pull request
+1. merge to master
+
+
+
 ## Release history
 
+* 1.3 - Apr 11th, 2017 - Update security docs per #5, add way to do development with non-ssl per #6, add sort to enum/drop downs per #7
 * 1.2 - Mar 18th, 2017 - Add protection against [CSRF](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))
 * 1.1 - Mar 16th, 2017 - Add Examples & phpDocs, fixed minor bug in edit form CSS
 * 1.0 - Mar 15th, 2017 - First post

diff --git a/examples/config.php b/examples/config.php
@@ -4,4 +4,8 @@
 define('DB_USER', 'root');
 define('DB_PASS', 'MarcyWoolliestlist');
 define('DB_DATABASE', 'tableManagerSample');
-define('DB_TABLE', 'people');
+define('DB_TABLE', 'people');
+
+// DO NOT SET THIS TO 'false' IN PRODUCTION!  ONLY FOR
+// DEVELOPMENT!!!
+define('SECURE_NONCE_COOKIE', false);
diff --git a/examples/edit.php b/examples/edit.php
@@ -15,7 +15,8 @@
         $action = 'add';
     }
 
-    print $tm->getAddEditHtml($row, $action, "./save.php?table={$tm->table}");
+    print $tm->getAddEditHtml($row, $action, "./save.php?table={$tm->table}", false, array(),
+        array(),null, array(),SECURE_NONCE_COOKIE);
 } catch (Exception $e){
     show503($e->getMessage());
 }

diff --git a/examples/edit_bootstrap.php b/examples/edit_bootstrap.php
@@ -14,7 +14,7 @@
         $action = 'add';
     }
 
-    $formHtml = $tm->getAddEditHtml($row, $action, "./save_bootstrap.php?table={$tm->table}", false, array(), array(), true);
+    $formHtml = $tm->getAddEditHtml($row, $action, "./save_bootstrap.php?table={$tm->table}", false, array(), array(), true, array(),SECURE_NONCE_COOKIE);
 } catch (Exception $e){
     show503($e->getMessage());
 }

diff --git a/examples/edit_validate.php b/examples/edit_validate.php
@@ -19,7 +19,7 @@
         $action = 'add';
     }
 
-    print $tm->getAddEditHtml($row, $action, "./save_validate.php?table={$tm->table}", false, array(), array(), true);
+    print $tm->getAddEditHtml($row, $action, "./save_validate.php?table={$tm->table}", false, array(), array(), true, array(), SECURE_NONCE_COOKIE);
 } catch (Exception $e){
     show503($e->getMessage());
 }

diff --git a/tableManager.php b/tableManager.php
@@ -3,7 +3,7 @@
  * Class tableManager
  *
  * @author mrjones@pch.net
- * @version 1.2
+ * @version 1.3
  * @copyright PCH, MIT License
  * @see https://github.com/Packet-Clearing-House/tableManager/
  */
@@ -346,7 +346,7 @@ public function getHtmlRowsHead($rowsToShow = array()){
      */
     public function getAddEditHtml($rowData = array(),  $action = 'edit' , $actionUrl = null,
                                    $tableKey = false, $rowsLabels = array(), $customEditArray = array(), $keyExistsUrl = null,
-                                   $customOrder = array())
+                                   $customOrder = array(), $secureCookie = true)
     {
         if (!$tableKey){
             $tableKey = $this->getKeyFromTable();
@@ -358,7 +358,7 @@ public function getAddEditHtml($rowData = array(),  $action = 'edit' , $actionUr
         // get a nonce, write it to a cookie and then create a hidden input
         // which we'll check on add, edit or delete
         $nonce = $this->getRandomId();
-        $this->writeNonceCookie($nonce);
+        $this->writeNonceCookie($nonce, $secureCookie);
 
         $formAction = '<form role="form" method="post" action="' . $actionUrl . '" name="tableManagerAddEdit"
             class="tableManager"
@@ -446,6 +446,7 @@ class='form-control $primaryClass' maxlength='{$columnInfoArray['SIMPLE_SIZE']}'
             } elseif ($colType == 'enum') {
                 $html .= "<select name='$colName' value='$value' id='$colName' class='form-control $primaryClass' 
                     $requiredHtml $kvPairHtml>\n";
+                asort($columnInfoArray['SIMPLE_VALUES']);
                 foreach ($columnInfoArray['SIMPLE_VALUES'] as $key => $option){
                     $selected = '';
                     if ($key == $value){
@@ -801,10 +802,17 @@ private function validNonce($cookie = null, $post = null){
      * multiple instances of the same form in the same browser. should be checked
      * with isFromNonce()
      * @param $nonce
+     * @param $secureCookie boolean defaults to true, of whether to write cookies securely (https only). Only set this
+     * to false in development, *never* in production!!
      * @return boolean result of setcookie()
      */
-    public function writeNonceCookie($nonce) {
-        $secure = true;
+    public function writeNonceCookie($nonce, $secureCookie = true) {
+        if ($secureCookie) {
+            $secure = true;
+        } else {
+            $secure = false;
+        }
+
         $http_only = true;
         // omg epic thread here of SERVER_NAME vs HTTP_HOST: http://stackoverflow.com/a/2297421
         $domain = $_SERVER['SERVER_NAME'];