Explore the security of PHP Data filtering. At the beginning of the guide, we said that data filtering in any language and platform is the cornerstone of WEB application security. This includes checking the data input to the application and the data output from the application inAt the beginning of the guide, we said that data filtering in any language and platform is the cornerstone of WEB application security. This includes testing the data input to the application and the data output from the application. a good software design can help developers:
Ensure that PHP Data filtering cannot be bypassed, ensure that invalid information does not affect valid information, and identify the data source.
There are a variety of ideas on how to ensure that data filtering cannot be bypassed, and two of them are more common and provide higher level of protection than others.
PHP Data filtering scheduling method
This method uses a single PHP script for scheduling (via URL ). Any other operations include or require when necessary. In this method, each URL needs to pass a separate GET variable for scheduling. This GET variable can be considered as a simpler design to replace the script name. For example:
Http://example.org/dispatch.php? Task = print_formdispatch.php is the only root file (Document root ). It allows developers to do two very important tasks:
At the beginning of dispatch. php, we implemented some global security processing and ensured that these processing could not be bypassed. It is easy to determine where data filtering is necessary, especially for some special control flow operations. Take the following example to further discuss the dispatch. php script:
- <? Php
- /* Global security processing */
- Switch ($ _ GET ['task']) {case
'Print _ form': include '/inc/
Presentation/form. inc ';
- Break;
- Case 'process _ form': $ form_valid = false;
- Include '/inc/logic/process. Inc ';
- If ($ form_valid) {include '/inc/
Presentation/end. inc ';} else {include
'/Inc/presentation/form. Inc ';}
Break; default: include '/inc/presentation
/Index. inc ';
- Break;
- }
- ?>
If this is the only publicly accessible PHP script, it is certain that the design of this program ensures that the global security processing cannot be bypassed at the beginning. At the same time, developers can easily see the control process of specific tasks. For example, you do not need to browse the entire code to easily know: when $ form_valid is true, end. inc is unique to the user; because it is in process. before inc is included, it is initialized to false. it can be determined that process. inc's internal logic sets it to true; otherwise, the form is displayed again (related error messages may be displayed ).
PHP Data filtering considerations
If you use Directory-oriented files such as index. php (instead of dispatch. php), you can use URL address: http://example.org /? Task = print_form.
You can also use ApacheForceType redirection or mod_rewrite to adjust the URL address: http://example.org/app/print-form.
PHP Data filtering inclusion method
Another way is to use a separate module, which is responsible for all security processing. This module is included in the front-end (or very front-end) of all open PHP scripts ). Refer to the following script security. inc.
- < ?php
- switch ($_POST['form'])
- {case 'login':
- $allowed = array();
- $allowed[] = 'form';
- $allowed[] = 'username';
- $allowed[] = 'password';
- $sent = array_keys($_POST);
- if ($allowed == $sent)
- {include '/inc/logic/
process.inc';}
- break;
- }
- ?>
In this PHP Data filtering example, each submitted form is considered to contain the unique verification value of form, and security. inc independently processes the data to be filtered by 0 in the form. The HTML form to implement this requirement is as follows:
- < form. action="/receive.php"
method="POST">
- name="form" value="login" />
- < p>Username:
-
- < /p>
- < p>Password:type="password" name="password" />
- < /p>
- < input type="submit" />
- < /form>
The $ allowed array is used to check which form variable is allowed. this list should be consistent before the form is processed. Process control determines what to execute, and process. inc is the place where the filtered data arrives.
Note:
To ensure that security. inc is always included in the beginning of each script, use auto_prepend_file.
Example of PHP Data Filtering
Setting up a whitelist is very important for PHP Data filtering. Since it is impossible to give an example of every possible form data, some examples can help you have a general understanding of this.
The following code verifies the email address:
- < ?php
- $clean = array();
- $email_pattern = '
/^[^@s<&>]+@([-a-z0-9]+.)
+[a-z]{2,}$/i';
- if (preg_match($email_
pattern, $_POST['email']))
- {$clean['email'] = $_POST
['email'];}
- ?>
The following PHP Data filtering code ensures that the content of $ _ POST ['color'] is red, green, or blue:
- < ?php
- $clean = array();
- switch ($_POST['color'])
{case 'red':case 'green':case
'blue':$clean['color'] =
$_POST['color'];
- break;
- }
- ?>
The following PHP Data filtering code ensures that $ _ POST ['num'] is an integer ):
- < ?php
- $clean = array();
- if ($_POST['num'] ==
strval(intval($_
POST['num']))){$clean
['num'] = $_POST['num'];
- }
- ?>
The following PHP Data filtering code ensures that $ _ POST ['num'] is a floating point number (float ):
- < ?php
- $clean = array();
- if ($_POST['num'] ==
strval(floatval($_POST
['num']))){$clean['num']
= $_POST['num'];
- }
- ?>
Name conversion for PHP Data Filtering
In the previous example, an array $ clean is used. It is a good habit for developers to determine whether data has potential threats. Never save the data in $ _ POST or $ _ GET after verification. as a developer, you should always be skeptical about the data stored in the Super Global array.
It should be added that using $ clean can help you think about what else is not filtered, which is more like a whitelist. This improves the security level.
If you only save the verified data to $ clean, the only risk in data verification is that the referenced array element does not exist, rather than the unfiltered hazardous data.
PHP Data filtering time
Once the PHP script starts to be executed, it means that all HTTP requests have ended. In this case, the user has no chance to send data to the script. Therefore, no data can be input to the script (even when register_globals is enabled ). This is why initialization of variables is a good habit.
At the beginning of the guide, we said that data filtering in any language and platform is the cornerstone of WEB application security. This includes verifying the data input to the application and the data output from the application...