Generic protection in PHP

From: RoMaNSoFt (r0manat_private)
Date: Sun Oct 27 2002 - 17:55:41 PST

Next message: Jeremy Junginger: "TCP Daytona and Fragroute?!?"

Previous message: director, packetstormsecurity.org: "Openssl-brute tool trojan warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 Hi vuln-devels,

 I've written a little and compact PHP routine intended to protect PHP
applications in a generic way. The idea is to call the routine at the
very beginning of any .php file so it could parse *all* global
variables. I've tried to make the routine as generic as possible. It
should work ok on every PHP version, with or without
'register_globals' enabled (I've only tested on PHP 4.2.2, though).
The possible cost of performance perhaps should be take into account
on servers with heavy load. But I think it's worth your while having a
try with it :-)

 I've chosen the following cleaning method:
addslashes(htmlentities($var));

 The reason for that is:
- 1st, all html entities are re-written in a secure way, so no html
injection is possible. This tries to fight against cross-site
scripting bugs.
- 2nd, some dangerous chars (like "quotes" char) are secured. This is
for avoiding SQL injection problems.

 As a side effect, data to be saved in a database will be stored in an
html'ized form (for instance, a char like "á" will be stored as
"&aacute;"). It could be an advantage (perhaps it could fix some
problems with languages and charsets in databases, since we're
removing strange characters) or a disadvantage (lost of performance,
since we're using more characters to "encode" a single [special]
char). Perhaps this is something you can perfectly live with.

 Any feedback would also be greatly appreciated (this should be sent
to me, not to the whole mailing-list).


  /* Sanitized Vars Routine by RoMaNSoFt (r0manat_private) */
  function sanitize_vars() {

    foreach ($GLOBALS as $var => $value) {
      if (is_array($value)) {
        foreach ($value as $i => $j) {
          $GLOBALS[$var][$i] = addslashes(htmlentities($j));
        }
      } else {
        $GLOBALS[$var] = addslashes(htmlentities($value));
      }
    }

  }



+ Madrid, 2002.10.28 +
 --Roman

PS: Regards to the iZhal crew (publicidad subliminal incluida :-))

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Next message: Jeremy Junginger: "TCP Daytona and Fragroute?!?"
Previous message: director, packetstormsecurity.org: "Openssl-brute tool trojan warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 28 2002 - 08:29:46 PST