Hi vuln-devels, I've written a little and compact PHP routine intended to protect PHP applications in a generic way. The idea is to call the routine at the very beginning of any .php file so it could parse *all* global variables. I've tried to make the routine as generic as possible. It should work ok on every PHP version, with or without 'register_globals' enabled (I've only tested on PHP 4.2.2, though). The possible cost of performance perhaps should be take into account on servers with heavy load. But I think it's worth your while having a try with it :-) I've chosen the following cleaning method: addslashes(htmlentities($var)); The reason for that is: - 1st, all html entities are re-written in a secure way, so no html injection is possible. This tries to fight against cross-site scripting bugs. - 2nd, some dangerous chars (like "quotes" char) are secured. This is for avoiding SQL injection problems. As a side effect, data to be saved in a database will be stored in an html'ized form (for instance, a char like "á" will be stored as "á"). It could be an advantage (perhaps it could fix some problems with languages and charsets in databases, since we're removing strange characters) or a disadvantage (lost of performance, since we're using more characters to "encode" a single [special] char). Perhaps this is something you can perfectly live with. Any feedback would also be greatly appreciated (this should be sent to me, not to the whole mailing-list). /* Sanitized Vars Routine by RoMaNSoFt (r0manat_private) */ function sanitize_vars() { foreach ($GLOBALS as $var => $value) { if (is_array($value)) { foreach ($value as $i => $j) { $GLOBALS[$var][$i] = addslashes(htmlentities($j)); } } else { $GLOBALS[$var] = addslashes(htmlentities($value)); } } } + Madrid, 2002.10.28 + --Roman PS: Regards to the iZhal crew (publicidad subliminal incluida :-)) -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ]
This archive was generated by hypermail 2b30 : Mon Oct 28 2002 - 08:29:46 PST