freepbx-12.0.1beta5.tgz

Wrapping superglobals to enforce input sanitizing

One of the cornerstones of secure web applications is input validation and sanitization.

Frequently this is an afterthought for developers, because PHP semantics do not actually

enforce it.

With the filter extension (since PHP 5.2) this would actually be quite effortless. But not

many open source projects have adopted it yet. While it is widely available and

technically one of the best solutions, the filter extension has a cumbersome API. And

here lies the problem. If developers are to be encouraged to always validate every

piece of input, it must be ultra simple to do so. Everything else leads to laziness-related

$_REQUEST and Co. with objects:

$_REQUEST = new input($_REQUEST);

$_GET = new input($_GET);

$_POST = new input($_POST);

So, instead of accessing input variables the old-fashioned and may-or-may-not-forget-to-

sanitize-it way, there are now access methods. And these access methods conveniently

also provide data validation. Instead of $_GET[„category“] you'd write:

$_GET->int(„category“)

Every variable that was an array entry before in $_GET or $_POST, can now be accessed

checking every instance and deciding on an eligible sanitizing function.

However, unlike the PHP filter function, the rewrite is not as voluminous. The syntax is

rather close to the old. Instead of $_GET[] you have $_GET->int(). That's syntactically a

serious difference, but not when it comes to key strokes.

Important for security concepts is not only the technology at hand, but also the effort to

implement something in practice. This proposal hopefully strikes the right balance

between security inconvenience and developer laziness.

Implementation

Internally the superglobals wrapper is pretty easy to set up. As seen in the first

example, we just need to feed the old input arrays at instantiation. And we need a

couple of sanitization methods:

class input {

}

return intval($this->vars[$name]);

function name($name) {

return preg_replace("/[^\w_]+/", "", $this->vars[$name]);

}

Of course just the ->int() sanitization ain't gonna cut it for most webapps. So you'll get a

couple more basic validation/filtering features.

Then you could have similar methods for ->text() sans html or even a ->regex() function

mysql_query(„ SELECT * FROM app1 WHERE id='{$_GET->sql(article)}' „);

Note: I do not recommend this, or mysql_query() for that matter. Professional

developers should only ever use parameterized SQL. Or else get shot.

Advantages

The power of this method does not lie in the fancyness of variable access, but that

security woes for input data get multiplexed at a single point. Gone are the days of

possible insecure variable usage/access sprinkled throughout the code.