Comments | eevee: Web security

eevee

Web security

Nov 03, 2010 22:09

This was a, um, big topic recently, so I might as well say something about it in general.

There are a handful of really basic security mistakes that tend to crop up everywhere. Before I get to them, here's how you avoid them.

ASSUME DATA IS EVIL.Anything coming from outside your code is potentially hazardous and should be treated as such. It ( Read more... )

geeky

Comments 11

(The comment has been removed)

two_pi_r November 4 2010, 07:13:40 UTC

Double bonus: they could be running on a PHP where remote inclusion is on. If you can convince the argument of require() to start with http://something, arbitrary PHP injection!

krinndnz November 4 2010, 06:28:26 UTC

If we get people to consistently avoid the most common vulnerabilities, we'll at least get to deal with refreshingly new exploits. 'tis a consumation devoutly to be wished.

denkimouse November 4 2010, 06:50:37 UTC

"ASSUME DATA IS EVIL."

wait, who doesn't?

eevee November 4 2010, 15:50:01 UTC

Only, you know, everyone. The world is (or should be) a rigid and easily-defined place to engineers: of course this id is a number, what else would it be...

nidonocu November 4 2010, 10:55:58 UTC

For those not that knowledgable in JS, what does the 'evil' username in step 2 do?

eevee November 4 2010, 15:46:05 UTC

I doubt it'll actually work as written, but the idea is that I steal your session cookie by sending it off to my server somewhere. Then I can drop it into my browser and pretend to be you.

(The comment has been removed)

two_pi_r November 4 2010, 15:17:50 UTC

Pretty much every database API that isn't the one that came with MySQL 3 can do prepared statements. It isn't sanitizing data so much as using the correct interface to do the job.

Unfortunately, most PHP devs switched careers from grocery bagging and have the most experience with php4 and mysql3, and think shit like "pass all your queries to a function called cleanSQL" is high end app security.

eevee November 4 2010, 15:42:38 UTC

"Sanitize" implies that you remove bad parts. But my username might very well just have angle brackets in it because I think they're cool, not because I'm trying to wreck your site. Quietly deleting them would be uncool. I've also seen (far too many) SQL "sanitizers" that just replace SQL keywords in input, so you'd better not try to post comments about deleting a selection.

It's a matter of translating, not nuking. Avoiding tedious work is orthogonal, really.

The code I pasted was from Perl's DBI, which I linked to qualify the assertion that this problem was completely solved many years ago. But any database wrapper that isn't completely worthless has similar functionality. It's almost difficult to avoid using prepared statements, unless you're... using the C API bolted onto PHP. Sigh.