PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Using XML, Part 5: SOAP and WSDL
PHP Web Blog - Part 2
Reading RSS feeds in PHP: Part 1
A Twist In Namespaces
Fundamentals of PHP Superglobals

Sr. Web Developer
mediabistro.com
US-NY-New York

Post A Job | Post A Resume

PHP Filtering with OWASP

UTF8

Decodes utf-8 encoding which is used to bypass filters. (OWASP A1)

Boolean Check Function

If all we want to do is test a string instead of changing it and return a boolean, we use the check() function. check() has the same syntax as sanitize.

PHP: <?php

    include('sanitize.inc.php');


    $Test = "' OR ''"; //SQL injection attempt
    $Flags = SQL //SQL sanitization flag

    if(check($Test, SQL)){ //Is $Test sanitized?
    echo 'yes';} //Yeah it is
    else echo 'no'; //No it isn't
    ?>

The if statement receives a boolean value from the check() function, if $Test is sanitized or not. $Test is not sanitized, and will echo "no".

Combining Filters

In the source of the OWASP file, is the following set of lines:

    PHP:
    define("PARANOID", 1);
    define("SQL", 2);
    define("SYSTEM", 4);
    define("HTML", 8);
    define("INT", 16);
    define("FLOAT", 32);
    define("LDAP", 64);
    define("UTF8", 128);

If you were to replace PARANOID with 1 in the sanitize function, you would get the same results. To combine filters, we can add them together.


    PHP: <?php

    include('sanitize.inc.php');


    $Test = "<script>' or ''</script>";//XSS and injection attack
    $Flags = HTML + SQL; //Add 2 filters to sanitization

    //PARANOID, SQL, SYSTEM, HTML, INT, FLOAT, LDAP, UTF8

    echo sanitize($Test, $Flags);

    ?>

This will return "<script>' or ''</script>", which will not be interpreted but will render as "<script>' or ''</script> ". It is now "safe" to query a database with that variable, and also display it to the screen.

These filters take a large chunk of the sanization work out for you, but there is still the issue of string length. With PHP, the substr function will take care of that. These filters are hardly a end-all solution, but they provide a good drop-in solution that will be strengthened by other developers. Good luck and safe filtering!

This article originally appeared on AntiOnline.com.

[Page 1] [Page 2]

Comments:
built-in classes	ravi	10/30/07 08:41
thanks!	danielle	06/28/07 09:31
PHP5 and NUSOAP don't work out of the box...	Joost de Valk	05/11/07 10:02
If you are looking for help, please post on the appropriate forum here. Your questions will be answered much more quickly. Add A Comment: Name: Email: Subject: Message: To reduce spam posts, messages are now manually approved You are not [logged in]. That means your account will not get credit for this post.

Add A Comment: