Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Good security method?


  • Please log in to reply
24 replies to this topic

#1 mikelbring

mikelbring

    CC Addict

  • Advanced Member
  • PipPipPipPipPip
  • 117 posts

Posted 29 October 2008 - 09:11 AM

I got tired of cleaning all my variables every time I had to read a POST/GET so I came up with this method and I just wanted to know what everyone thought and if it would work pretty well. Both of these functions are in my secure.class and I run the lockcode function in my global.php which is included into every file.


private function condom($value){

if (get_magic_quotes_gpc()) {

$value = stripslashes($value);

}

if (!is_numeric($value)) {

$value = mysql_real_escape_string($value);

}

return $value;

}

public function lockcode(){

return $_REQUEST = array_map($this->condom, $_REQUEST);
return $_GET = array_map($this->condom, $_GET);
return $_POST = array_map($this->condom, $_POST);
return $_COOKIE = array_map($this->condom, $_COOKIE);

}

  • 0

Realize the Web Web services and design.


#2 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 29 October 2008 - 09:59 AM

Are these functions part of a class? I notice you use $this->. Also, most people pass array_map a string of the function name, IE:


array_map("condom", $_GET)


Your lockcode function does not work. You have four return variables with no conditions. It will always return $_REQUEST even if no POST or GET variables are set. The 3 return statements under it will never execute. Why do you even have a lockcode function?

You also have return $_REQUEST which will get both POST and GET but then you also have return POST and GET below it - pointless to use REQUEST.

Why do you only add slashes if it is numeric?


if (!is_numeric($value)) {


?? If you are going to use the data for a MySQL query you should use that function on all input (tainted) data. Why do you even


private function condom(&$value){

if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
$value = mysql_real_escape_string($value);

return $value;

}


Now just pass the variables by reference:


array_walk_recursive($_GET, 'condom');
array_walk_recursive($_POST, 'condom');
array_walk_recursive($_COOKIE, 'condom');

  • 0

#3 Xav

Xav

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 8356 posts

Posted 29 October 2008 - 10:24 AM

condom()? LOL!
  • 0
If you enjoy reading this discussion and are thinking about commenting, why not click here to register and start participating in under a minute?

#4 John

John

    CC Mentor

  • Moderator
  • 4450 posts
  • Location:New York, NY

Posted 29 October 2008 - 10:40 AM

As Jordan pointed out, I am not certain this is valid:
$_REQUEST = array_map($this->condom, $_REQUEST);
I know many functions that require callbacks for classes the syntax is (not actually sure if this is right, but it works for other functions)
$_REQUEST = array_map(array($this, "condom"), $_REQUEST);
However, it is better to use the array_walk_recursive function (using the same idea)
  • 0

#5 mikelbring

mikelbring

    CC Addict

  • Advanced Member
  • PipPipPipPipPip
  • 117 posts

Posted 29 October 2008 - 12:59 PM

Well I haven't tested your idea, but I do not get any errors when I run the code. It will not hurt to return it if it is not but I will try your method.

Edit:

Both lockcode and condom are in my secure class is the reason I have a $this->. But with array_walk_recursive how would I apply $this->condom or should I just put condom in the same function as lockcode? I tried array_walk_recursive($_GET, '$this->condom'); but got a error.
  • 0

Realize the Web Web services and design.


#6 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 29 October 2008 - 01:22 PM

It should work as John states above:


$_REQUEST = array_walk_recursive($_REQUEST, array($this, "condom"));


Interesting though, I didn't know you could pass $this->function to array_map. I'll have to do some testing with that.
  • 0

#7 mikelbring

mikelbring

    CC Addict

  • Advanced Member
  • PipPipPipPipPip
  • 117 posts

Posted 29 October 2008 - 01:33 PM

I just put the condom function inside the lockcode. Also this article is pretty similar to what I'm doing.

phpguru.org - Cleaning input data
  • 0

Realize the Web Web services and design.


#8 Xav

Xav

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 8356 posts

Posted 29 October 2008 - 01:35 PM

If anyone needs me to test a condom, I will be willing.
  • 0
If you enjoy reading this discussion and are thinking about commenting, why not click here to register and start participating in under a minute?

#9 John

John

    CC Mentor

  • Moderator
  • 4450 posts
  • Location:New York, NY

Posted 29 October 2008 - 06:51 PM

If anyone needs me to test a condom, I will be willing.


Would you write a unit test or something? Because surely you have no practical use for a condom.
  • 1

#10 mikelbring

mikelbring

    CC Addict

  • Advanced Member
  • PipPipPipPipPip
  • 117 posts

Posted 29 October 2008 - 06:54 PM

I just named the function that strips the variables a condom. Protection right?
  • 0

Realize the Web Web services and design.


#11 Xav

Xav

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 8356 posts

Posted 30 October 2008 - 06:32 AM

Would you write a unit test or something? Because surely you have no practical use for a condom.

You crack me up...
  • 0
If you enjoy reading this discussion and are thinking about commenting, why not click here to register and start participating in under a minute?

#12 Guest_Jaan_*

Guest_Jaan_*
  • Guest

Posted 30 October 2008 - 10:28 AM

Would you write a unit test or something? Because surely you have no practical use for a condom.


hahahaaaa:D
  • 0




Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download