Welcome, Guest. Register Now!
03-07-2007, 10:31 PM
|
||||
|
||||
How to filter Input Parameters
Hi,
When we are working with GET, POST or COOKIE data at least myself i am wondering "what if someone is trying to hijack the code". So, i am trying to convert all params i get from those sources using various techniques. Let me show you one simple case (before using Zend Framework, now trying to upgrade this side to ZF too): if(isset($_GET["page"])) $page = $_GET["page"] = intval($_GET["page"]); else $page = "1"; In this case the param is a number, but anyway, can be a small text even (not necessary without any other characters: maybe is a product name: Metal-Pieces or similar). So, which would be the best technique to ensure someone not trying to force your code. Could be even an attempt to SQL inject you database ? Of course Zend_DB provides mechanisms (->quote() or others) to defend against such things, but maybe is better to try stopping all since beginning... On GET, POST, aso... So, any opinions ?
__________________
Zend Framework Tutorials | Zend Framework Forums | Zend Framework IRC Channel | | Zend Framework Resources | CoreShifter | Microsoft Forums | Microsoft Links | Microsoft Books     
|
|
03-08-2007, 11:41 PM
|
||||
|
||||
|
personally, I would use $page= int $value; instead...
As for input parameters, the only way to keep yourself safe is to validate everything. Zend_Filter and Zend_Validate do make this alot easier because you can write your own 'filters' and 'validators'. And of course we are in a ZF forums so I am baised here 
__________________
Zym Framework - A Zend Framework extension library w/ demo app SpotSec Blog: http://spotsec.com/blog
|
|
03-09-2007, 05:30 AM
|
||||
|
||||
|
Ok, i think best idea is to write my own filters and validators then.
Because the same situation is over most of the sites i guess the best is to make some filters and validators and reuse for each project.
__________________
Zend Framework Tutorials | Zend Framework Forums | Zend Framework IRC Channel | | Zend Framework Resources | CoreShifter | Microsoft Forums | Microsoft Links | Microsoft Books
|
|
03-28-2007, 05:45 PM
|
||||
|
||||
|
< Comment after 0.9.0 was released >
Zend_Input_Filter is no longer on ZF, so i guess that's a bad thing, applications would be less secure then...
__________________
Zend Framework Tutorials | Zend Framework Forums | Zend Framework IRC Channel | | Zend Framework Resources | CoreShifter | Microsoft Forums | Microsoft Links | Microsoft Books
|
|
03-28-2007, 09:34 PM
|
||||
|
||||
|
not necessarily, security is only as good as the programmer makes it (or doesnt make it)
__________________
Zym Framework - A Zend Framework extension library w/ demo app SpotSec Blog: http://spotsec.com/blog
|
|
03-29-2007, 04:57 AM
|
||||
|
||||
|
Yes, but an easier API for securing side would help...
__________________
Zend Framework Tutorials | Zend Framework Forums | Zend Framework IRC Channel | | Zend Framework Resources | CoreShifter | Microsoft Forums | Microsoft Links | Microsoft Books
|
|
05-23-2007, 02:38 PM
|
|||
|
|||
|
Quote:
|
|
05-23-2007, 09:33 PM
|
||||
|
||||
|
actually, I think it is coming back in 1.0 as Zend_Filter_Input
__________________
Zym Framework - A Zend Framework extension library w/ demo app SpotSec Blog: http://spotsec.com/blog
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
