On 06/09/16 03:19, Yasuo Ohgaki wrote: > Hi Lester, > > On Fri, Sep 2, 2016 at 7:58 PM, Lester Caine <les...@lsces.co.uk> wrote: >> A filter of "is this string corrupted with an injection attempt" seems >> rather more difficult to define than "email"? And applying the first in >> general on every string when there are as set of simple filters that can >> be used ... as an alternative to the more difficult to define ones? > > Input validation code does not have to address all of injections. It's > output code responsibility to prevent injections in the first place. > i.e. Top 10 Secure Coding Practices - #7 > https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
Your statement and those coding points don't go together. 1 ... Any input to PHP has to be untrusted since you can't rely on even clean sources being intercepted. 8 ... Why not use the best available checks on the input side? 7 ... I've sanitised the data in the browser, but because of morons I can't use it without addressing 1 and 8. All this comes back to my simple idea of adding all these validation, filtering and sanitation steps wrapped around the basic PHP variable. And THAT also includes 'strict typing' since if we have the option to select soft or hard failure when a problem is found in the variable we can cover everybody’s 'need'! > Nonetheless, ID validation being poor is not rare even with well > known code. parameters like ID is easy to make sure it's safe from any > injections. > e.g. https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q I know the range of values available for 'id' it's provided by the SEQUENCE source in the database but if you insist on 'autoinc' we can do the job properly. So my filter on the variable :id is looking for a number in a range. What could be a simpler validation than that? > ID is not the only one, accept language, encoding, referer, etc are > common source of injections also. > > Input validation code is for mitigation against unknown/unaddressed > vulnerabilities in entire code not only PHP code, but also language, > libraries written by C/C++ and/or external systems such as DB. If you need to retain the raw input of non-php material then that is just a more complex filter. Point 5 above - Default Deny - do not forward anything that you do not need. So once you have applied rule 9, and assured you know what you expect to receive, then only that is passed on to rule 8. If that data being passed on has a potential to carry a vulnerability forward it's because you have to allow for that data to be forwarded anyway, so a filter to prevent it is pointless? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
