<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Agreed. I have a feeling there are still one or two places in the
code that don't use prepared statements. I should just go through
these and fix them.<br>
<br>
If I send you a version with only prepared statements, and no calls
to stripslashes, can you do a proper security audit of the resulting
system for me please?<br>
<br>
Anyone out there got any tools for specifically security-proving
websites based on PHP?<br>
<br>
Jules.<br>
<br>
On 03/02/2012 17:37, Joerg Streibhardt wrote:
<blockquote
cite="mid:CAJ5hT9EYU_4-23E6Zv0G40Fw9Ctze7VeRCGiG8UfMPZZZFfdHw@mail.gmail.com"
type="cite">
<p>Hi Julian,</p>
<p>from a security perspective the use of stripslashes is a bad
idea.</p>
<p>The magic quotes feature adds these backslashes to escape the
"dangerous" characters (i.e. ') for database use.</p>
<p>Basically it's a weak version of what sqlite_escape_string et
al are doing and stripslashes reverts this.</p>
<p>If the intention is to remove all backslashes, stripslashes is
definately not the right function. All that's required to defeat
it is using two backslashes for one to remain.</p>
<p>As for the expected need: In our case it'll probably be about
every second drop-off as users will be asked to upload a file in
some more or less arbitrary directory for analysis.</p>
<p>To recap: stripslashes does nothing to improve security, all it
does is decrease security if *_escape_string is forgotten,
magic_quotes is either on or off.<br>
Additionally it'll garble user input if magic_quotes off (which
is the default for new installs).</p>
<p>Cheers<br>
Jörg</p>
<div class="gmail_quote">Am 03.02.2012 18:12 schrieb "Jules" <<a
moz-do-not-send="true" href="mailto:Jules@zend.to">Jules@zend.to</a>>:<br
type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
How often do people need to put in backslashes? Versus the
danger of<br>
missing an instance of escaping-based injection because of not
removing<br>
them? I would personally prefer to play safe.<br>
<br>
If we can *guarantee* that it won't lessen security *at all*,
then we<br>
can not remove all backslashes.<br>
<br>
Jules.<br>
<br>
On 03/02/2012 16:49, Joerg Streibhardt wrote:<br>
> Hi Jules<br>
><br>
> my first real user informed me that the backslashes he
typed into the<br>
> message were removed.<br>
> After looking around for a bit I noticed that most if not
all<br>
> instances of stripslashes are called whether PHP added
those "magic<br>
> quotes" or not.<br>
><br>
> Unfortunately I'm unable to globally enable magic quotes
and the<br>
> manual states that:<br>
><br>
>> This feature has been DEPRECATED as of PHP 5.3.0.
Relying on this feature is highly discouraged.<br>
>> <a moz-do-not-send="true"
href="http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc"
target="_blank">http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc</a><br>
> I've changed the setting locally for ZendTo by adding<br>
>> php_flag magic_quotes_gpc on<br>
> in the apache-configuration for<Directory
/opt/zendto/www/>.<br>
><br>
> I think stripslashes should only be used if
get_magic_quotes_gpc()<br>
> returns true. Removing it altogether is probably not a
good idea at<br>
> this time.<br>
><br>
> What do you think?<br>
><br>
> Cheers<br>
> Jörg<br>
><br>
> _______________________________________________<br>
> ZendTo mailing list<br>
> <a moz-do-not-send="true" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
> <a moz-do-not-send="true"
href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto"
target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br>
<br>
Jules<br>
<br>
--<br>
Julian Field MEng CITP CEng<br>
<a moz-do-not-send="true" href="http://www.Zend.To"
target="_blank">www.Zend.To</a><br>
<br>
Follow me at <a moz-do-not-send="true"
href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a><br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415
B654<br>
<br>
'It's okay to live without all the answers' - Charlie Eppes,
2011<br>
'All programs have a desire to be useful' - Tron, 1982<br>
'That is the land of lost content,<br>
I see it shining plain,<br>
The happy highways where I went,<br>
And cannot come again.' - A.E. Houseman<br>
<br>
<br>
_______________________________________________<br>
ZendTo mailing list<br>
<a moz-do-not-send="true" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
<a moz-do-not-send="true"
href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto"
target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
'All programs have a desire to be useful' - Tron, 1982
</pre>
</body>
</html>