Message Icon:*
url email imgsrc image php hide code quote
English Nederlands 
alignleft aligncenter alignright bold italic underline linethrough   



Re: Auditing Code (security wise)

by skenow on 6/9/2008 7:24:36

PHP 5.2+ has filters for sanitizing and validating many types of input - we should be taking a close look at these, since we have gone php5 with 1.1.

Here's a slideshow from the PHP web site about input filters

General security talks are here -

Another good one is by Rasmus Lerdorf -
Re: Auditing Code (security wise)

by skenow on 28/5/2008 4:42:05

A very nice summary, Zaphod!


- Check the data type is as expected. Functions include:

+ Is_string()

+ Is_numeric() // will also return true if data is a string containing a number

+ Is_float() // remember data passed in by form is typed as string

+ Is_array()

+ Is_object()

+ Ctype functions permit more specific screening of input (see PHP manual).

Properly casting the variables is important for many reasons, just be aware of your options and the impact on performance.

Similarly, I feel if the data and variables are handled properly, the numeric values in sql strings don't need quotes, which also improves performance of the database. By proper handling I mean -
* The variable has been declared and initialized
* The input has been sanitized
* The input has been encoded, if appropriate
* The input has been validated, and
* The input has been cast as the expected type (int, float, string, array)

In fact, using string values in the query when the field type is numeric can lead to different results -
Re: Auditing Code (security wise)

by davidl2 on 28/5/2008 4:23:22

Good thinking Giba - and if anyone has any additional advice to add to this, please do so!
Re: Auditing Code (security wise)

by GibaPhp on 28/5/2008 4:00:48

Exelent Zaphod

Added in Wiki:Auditing Code
Re: Auditing Code (security wise)

by davidl2 on 28/5/2008 3:43:22

I'd also add that if you're using a system like ours - perhaps making usage of other security methods, purifyier, trustpath etc is a must...