A Web developer’s typical day is anything but boring, with any number of fascinating technologies to explore. Over time, the breadth of knowledge that any cutting-edge developer is expected to accumulate has continued to grow, with the proliferation of Ajax-, iPad- and location-based applications becoming an omnipresent part of any organization’s online strategy.
With so much potential for distraction, it’s no wonder that developers continue to fall victim to the very same security gaffes that have afflicted the community for well over a decade. Notably, failure to properly validate user input remains the single most serious security issue, with several of the Open Web Application Security Project’s top ten security risks originating directly from this oversight.
A Recipe for Disaster
How serious is the problem of improperly validating user data? Consider the commonly applied approach of sending a one-time URL to a user’s email address in order to recover their password. Many such solutions allow users to paste the random key into a password recovery form rather than click on the URL. Because this random key is usually quite lengthy, often 32 characters, the chances of somebody exploiting this feature to attack the website is negligible, right? You’re so confident of this impossibility that you quickly create the following PHP script, which updates the account that is associated with the provided key:
$db = new mysqli("localhost", "webuser", "secret", "corporate_prod");
$key = $_POST['key'];
$password = $_POST['password'];
$query = "UPDATE accounts SET password = '{$password}' WHERE recovery_key = '{$key}'";
$result = $db->query($query);However, a malicious user armed with a basic understanding of how the one-time URL works passes not the random recovery key but the string
<code>"' OR ''='"</code> into the recovery form, meaning that the query sent to the MySQL database looks like this:UPDATE accounts SET password = 'iownyou' WHERE email = '' OR ''=''When executed, this odd-looking SQL statement will change every account password in the
accounts table. Suffice to say, this isn’t the sort of password recovery feature you had in mind.While this particular dilemma could be avoiding using prepared statements, it nonetheless highlights the considerable danger of not properly validating user input. Fortunately, with PHP 5.2 came an incredibly easy way to ensure that user input fits expectations!
Introducing the Filter Extension
An official part of the PHP distribution as of the 5.2.0 release, the Filter extension offers developers an easy way to validate and sanitize user input. Validation is useful in instances where input absolutely must fit a certain requirement such as a syntactically valid email address or an integer value such as a user’s age. Sanitization is useful in cases where the input might need to be cleaned up a bit before it’s accepted, such as removing disallowed HTML tags from a blog comment.
