Home arrow PHP arrow Sanitizing Input with PHP

Sanitizing Input with PHP

In this seventh part of an eight-part article series on using PHP commands with your file and operating systems, you'll learn how and why to sanitize user input. This article is excerpted from chapter 10 of the book Beginning PHP and PostgreSQL 8: From Novice to Professional, written by W. Jason Gilmore and Robert H. Treat (Apress; ISBN: 1590595475).

  1. Sanitizing Input with PHP
  2. Two Sanitizing Commands
By: Apress Publishing
Rating: starstarstarstarstar / 0
December 12, 2011

print this article



System-Level Program Execution

Truly lazy programmers know how to make the most of their entire server environment when developing applications, which includes exploiting the functionality of the operating system, file system, installed program base, and programming languages whenever necessary. In this section, you'll learn how PHP can interact with the operating system to call both OS-level programs and third-party installed applications. Done properly, it adds a whole new level of functionality to your PHP programming repertoire. Done poorly, it can be catastrophic not only to your application, but also to your server's data integrity. That said, before delving into this powerful feature, take a moment to consider the topic of sanitizing user input before passing it to the shell level.

Sanitizing the Input

Neglecting to sanitize user input that may subsequently be passed to system-level functions could allow attackers to do massive internal damage to your information store and operating system, deface or delete Web files, and otherwise gain unrestricted access to your server. And that's only the beginning.

Note See Chapter 21 for a discussion of secure PHP programming.

As an example of why sanitizing the input is so important, consider a real-world scenario. Suppose that you offer an online service that generates PDFs from an input URL. A great tool for accomplishing just this is HTMLDOC, a program that converts HTML documents to indexed HTML, Adobe PostScript, and PDF files. HTMLDOC (http://www.htmldoc.org/) is released under the GNU General Public License. HTMLDOC can be invoked from the command line, like so:

%>htmldoc --webpage -f webpage.pdf http://www.wjgilmore.com/

This would result in the creation of a PDF named webpage.pdf, which would contain a snapshot of the Web site's index page. Of course, most users will not have command-line access to your server; therefore, you'll need to create a much more controlled interface to the service, perhaps the most obvious of which being via a Web page. Using PHP's passthru() function (introduced later in this chapter), you can call HTMLDOC and return the desired PDF, like so:

$document = $_POST['userurl'];
passthru("htmldoc --webpage -f webpage.pdf $document);

What if an enterprising attacker took the liberty of passing through additional input, unrelated to the desired HTML page, entering something like this:

http://www.wjgilmore.com/ ; cd /usr/local/apache/htdocs/; rm -rf *

Most Unix shells would interpret the passthru() request as three separate commands. The first is:

htmldoc --webpage -f webpage.pdf http://www.wjgilmore.com/

The second command is:

cd /usr/local/apache/htdocs/

And the final command is:

rm -rf *

Those last two commands were certainly unexpected, and could result in the deletion of your entire Web document tree. One way to safeguard against such attempts is to sanitize user input before it is passed to any of PHP's program execution functions. Two standard functions are conveniently available for doing so: escapeshellarg() and escapeshellcmd(). Each is introduced in this section.

>>> More PHP Articles          >>> More By Apress Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: