Home arrow PHP arrow Page 4 - Securing Your PHP Website

Sanitizing User Input: The Solution - PHP

In this second part of a three-part series on secure PHP programming, you'll learn how to hide the fact that you're using PHP to drive your site, how to hide sensitive data, and more. This article is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).

  1. Securing Your PHP Website
  2. Hiding Sensitive Data
  3. Sanitizing User Data
  4. Sanitizing User Input: The Solution
By: Apress Publishing
Rating: starstarstarstarstar / 4
August 19, 2010

print this article



Given the frightening effects that unchecked user input can have on a Web site and its users, one would think that carrying out the necessary safeguards must be a particularly complex task. After all, the problem is so prevalent within Web applications of all types, prevention must be quite difficult, right? Ironically, preventing these types of attacks is really a trivial affair, accomplished by first passing the input through one of several functions before performing any subsequent task with it. Four standard functions are conveniently available for doing so: escapeshellarg() , escapeshellcmd() , htmlentities() , and strip_tags() .

Note  Keep in mind that the safeguards described in this section, and frankly throughout the chapter, while effective, offer only a few of the many possible solutions at your disposal. For instance, in addition to the four functions described in this section, you could also typecast incoming data to make sure it meets the requisite types as expected by the application. Therefore, although you should pay close attention to whatís discussed in this chapter, you should also be sure to read as many other security-minded resources as possible to obtain a comprehensive understanding of the topic.

Escaping Shell Arguments

The escapeshellarg() function delimits its arguments with single quotes and escapes quotes. Its prototype follows:

string escapeshellarg(string arguments)

The effect is such that when arguments is passed to a shell command, it will be considered a single argument. This is significant because it lessens the possibility that an attacker could masquerade additional commands as shell command arguments. Therefore, in the previously described file-deletion scenario, all of the user input would be enclosed in single quotes, like so:

/opt/inventorymgr '50XCH67YU' '50; rm -rf *'

Attempting to execute this would mean 50; rm -rf * would be treated by inventorymgr as the requested inventory count. Presuming inventorymgr is validating this value to ensure that itís an integer, the call will fail and no real harm will be done.

Escaping Shell Metacharacters

The escapeshellcmd() function operates under the same premise as escapeshellarg() , but it sanitizes potentially dangerous input program names rather than program arguments. Its prototype follows:

string escapeshellcmd(string command)

This function operates by escaping any shell metacharacters found in the command. These metacharacters include # & ;`, |*?~< >^( ) [ ] { } $ \\ .

You should use escapeshellcmd() in any case where the userís input might determine the name of a command to execute. For instance, suppose the inventory-management application is modified to allow the user to call one of two available programs, foodinventorymgr or supplyinventorymgr , by passing along the string food or supply , respectively, together with the SKU and requested amount. The exec() command might look like this:

exec("/opt/".$command."inventorymgr ".$sku." ".$inventory);

Assuming the user plays by the rules, the task will work just fine. However, consider what would happen if the user were to pass along the following as the value to $command :

blah; rm -rf *;
/opt/blah; rm -rf *; inventorymgr 50XCH67YU 50

This assumes the user also passes in 50XCH67YU and 50 as the SKU and inventory number, respectively. These values donít matter anyway because the appropriate inventorymgr command will never be invoked since a bogus command was passed in to execute the nefarious rm command. However, if this material were to be filtered through escapeshellcmd() first, $command would look like this:

blah\; rm -rf \*;

This means exec() would attempt to execute the command /opt/blah rm -rf , which of course doesnít exist.

Please check back for the conclusion to this series.

>>> More PHP Articles          >>> More By Apress Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: