Skip to content

Latest commit

 

History

History
88 lines (70 loc) · 2.56 KB

readme.md

File metadata and controls

88 lines (70 loc) · 2.56 KB
Raw

CharacterValidation

A library for more securely handling of GET/POST objects in legacy PHP.

Retrofiting legacy PHP projects

A common problem in supporting legacy PHP is that old code may not do enough or appropriate validation and this leads to potential injection problems (XSS and SQL). To mitigate this you need to do three things

  • At the start of the PHP file require safely.php
  • Before PHP code is executed then run safeGET(), safePOST(), and safeSERVER() as needed.

This might look something like -

	<?php
	// Added safely
	require_once dirname(__FILE__).'/safely.php';
	$get = safeGET();   // e.g. originally $_GET
	$post = safePOST(); // e.g. originally $_POST
	
	// the rest of the old should now work safer.

If you need to validated an uploaded filename you might do something like -

    <?php
    // Get the filename from the $_FILES assoc array.
    $safeFilename = $_FILES['myupload']['name'];
    if ($safeFilename === false) {
        die('Not a valid filename.');
    }

Using in new projects

When using safely in new projects you should provide an explicit validation map. This way we will not be vunerable to injected variables caused by unsafe use of extract.

In this example their are three supported parameters - id, search, callback which are an Integer, Text and Varname respectively. Here's how you would defined the validation map and then use it with your code.

	<?php
	

	// Just some place holder code to indicate that you've already established a MySQL connection
	openMySQLConnection();

	require_once dirname(__FILE__).'/safely.php';
	// Make a validation map
	$validation_map = array(
		"id" => "Integer",
		"search" => "Text",
		"callback" => "Varname"
	);
	
	// extract the $_GET safely validated against $validation_map
	$myGET = safeGET($validation_map);

	// Now you're ready to use them.  If a field wasn't available it will be set to false
	if ($myGET["id"] !== false) {
		// build your query safely
		$sql = "SELECT name, email FROM contacts WHERE id = " . 
		$myGET["id"];
	} else if ($myGET['search'] !== false) {
		$sql = "SELECT name, email FROM contacts WHERE (name LIKE \"" . 
			$myGET["search"] . "\" OR email LIKE \"" . $myGET["search"] . "\"";
	}

	// Process your SQL safely
	$qry = mysql_query($sql);
	$users = mysql_fetch_assoc($qry);

	if ($myGET["callback"] !== false) {
		header("Content-Type: application/javascript");
		echo $callback . '(' . json_encode($users,  true) . ')';
	} else {
		header("Content-Type: application/json");
		echo json_encode($users, true);
	}
	?>