PHP Built-in String Validation Functions
Upcoming SlideShare
Loading in...5
×
 

PHP Built-in String Validation Functions

on

  • 25,313 views

A must for PHP Developers

A must for PHP Developers

Statistics

Views

Total Views
25,313
Views on SlideShare
25,235
Embed Views
78

Actions

Likes
9
Downloads
234
Comments
1

3 Embeds 78

http://www.slideshare.net 69
http://static.slidesharecdn.com 6
https://twitter.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

PHP Built-in String Validation Functions PHP Built-in String Validation Functions Presentation Transcript

  • PHP5 Built-in String Filter Functions For Your Application Security By d0ubl3_h3lix http://yehg.org April 2008
  • Agenda
    • Why We Use?
    • Need to Know
    • Secure Practice
    • Validation Vs Sanization
    • PHP5 Built-in Filtering Functions
  • Why We Use?
    • 100% injection attacks (XSS,SQL,XPATH,OS CMD ...etc) come from inputs where filtering is weak or none
    • Be aware of inputs as well as outputs
    • You know Garbage In Garbage Out
    • For attackers, Garbage In Gold Out
  • Need to Know
    • A lot more issues in filtering such as encoding issues
    • An attacker can send strings in different charset formats
    • Causes your visitors’ browser auto-detect and interpret the way the attacker wants
    • Reason: Application failed to convert this string to its intended charset since first stored in database
  • Secure Practice
    • Always Convert Input/Output
    • to Intended Charset
    • Before
    • Intensive Filtering/Sanitization
  • Validation Vs Sanization
    • Validation means the string format is exactly what you want
    • Validated String can't be assumed 'Secure'
    • Can't know if validated string might have malicious characters meaningful for various back-end systems
    • That's why, validated one needs to be sanitized!
    • PHP5 Built-in
    • String Filter
    • Functions
  • htmlspecialchars
    • Description: Convert special characters to HTML entities
    • Usage: string htmlspecialchars ( string string [, int quote_style [, string charset ]] )
  • Quote_Style
    • ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
    • ENT_QUOTES
    • Will convert both double and single quotes.
    • ENT_NOQUOTES
    • Will leave both double and single quotes unconverted.
  • Supported Charsets
    • ISO-8859-1
    • ISO-8859-15
    • UTF-8
    • cp866 (ibm866, 866)
    • cp1251 (Windows-1251, win-1251, 1251)
    • cp1252 (Windows-1252, 1252)
    • KOI8-R (koi8-ru, koi8r)
    • BIG5
    • GB2312
    • BIG5-HKSCS
    • Shift_JIS
    • EUC-JP
    • Not Secure:
    • htmlspecialchars($untrusted_input);
    • Relatively Secure:
    • htmlspecialchars($untrusted_input, ENT_QUOTES,
    • " UTF-8 " );
    Example
  • htmlentities
    • Description: Convert all applicable characters to HTML entities
    • Usage: string htmlentities ( string string [, int quote_style [, string charset ]] )
  • Example
    • Not Secure:
    • htmlentities($untrusted_input);
    • Relatively Secure:
    • htmlentities($untrusted_input, ENT_QUOTES,
    • " UTF-8 " );
  • htmlspecialchars vs htmlentities
    • htmlentities() converts every char to html applicable chars while htmlspecialchars() converts only:
    • & => &
        • " => "
        • ' => '
        • < => &lt;
        • > => &gt;
  •  
    • Description: Strip HTML and PHP tags from a string
    • Usage: string strip_tags ( string str [, string allowable_tags ] )
    strip_tags
    • // Return  Hello Admin!alert('0wned u');
    • strip_tags(&quot;<b>Hello Admin!</b><script>alert('0wned u');</script>&quot;);
    • // Return  <b>Hello Admin!</b> Nice
    • strip_tags(&quot;<b>bold</b> <i>Nice</i>&quot;
    • , &quot;<b>&quot;);
    Example: Stripping HTML
    • // Return  Hello Admin!
    • strip_tags(&quot;Hello Admin!<?php /*attacker's shellcode/backdoor script*/?>&quot;);
    • It's commonly embedded in images and some binary-like files
    Example: Stripping PHP
  •  
  • escapeshellcmd
    • Description: Escape shell metacharacters - #&;`|*?~<>^()[]{}$, x0A and xFF
    • Usage: string escapeshellcmd ( string command )
    • $input = &quot;solution & whoami &&quot;
    • escapeshellcmd(&quot;process $input&quot;);
    • // Process  solution whoami
    • // Escape  &
    Example
  •  
    • Description: Escapes special characters in a string for use in a SQL statement ; First need to open database connection
    • Usage: string mysql_real_escape_string ( string unescaped_string [, resource link_identifier] )
    mysql_real_escape_string
  • mysql_escape_string
    • Description: Escapes a string for use in a mysql_query ; First need to open database connection
    • Usage: string mysql_escape_string ( string unescaped_string )
  •  
  • is_* Functions
    • To Check whether a variable is desired
    • Type:
    • is_array  -- Whether a variable is an array
    • is_binary  --  Whether a variable is a native binary string
    • is_bool  --  Whether a variable is a boolean
    • is_buffer  -- Whether a variable is a native unicode or binary string
    • is_callable  --  Verify that the contents of a variable can be called as a function
    • is_double  -- Alias of is_float()
  • is_* Functions
    • is_float  -- Whether a variable is a float
    • is_int  -- Whether a variable is an integer
    • is_integer  -- Alias of is_int()
    • is_long  -- Alias of is_int()
    • is_null  --  Whether a variable is NULL
    • is_numeric  --  Whether a variable is a number or a numeric string
    • is_object  -- Whether a variable is an object
    • is_real  -- Alias of is_float()
    • is_resource  --  Whether a variable is a resource
    • is_scalar  --  Whether a variable is a scalar
    • is_string  -- Whether a variable is a string
    • is_unicode  -- Whether a variable is a unicode string
  • Good Practice With is_*
    • For example:
    • $start = (isset($_GET['num']) && is_numeric($_GET['num']))?
    • (int)$_GET['num']:die(&quot;Hacking Attempt!&quot;);
  •  
  • filter_* Functions
    • filter_has_var  -- Checks if variable of specified type exists
    • filter_id  -- Returns the filter ID belonging to a named filter
    • filter_input_array  -- Gets multiple variables from outside PHP and optionally filters them
    • filter_input  -- Gets variable from outside PHP and optionally filters it
    • filter_list  -- Returns a list of all supported filters
    • filter_var_array  -- Gets multiple variables and optionally filters them
    • filter_var   -- Filters a variable with a specified filter
  • Filterable Types
    • INPUT_POST ( integer )
      • POST variables.
    • INPUT_GET ( integer )
      • GET variables.
    • INPUT_COOKIE ( integer )
      • COOKIE variables.
    • INPUT_ENV ( integer )
      • ENV variables.
    • INPUT_SERVER ( integer )
      • SERVER variables.
    • INPUT_SESSION ( integer )
      • SESSION variables. (not implemented yet in Php5)
    • INPUT_REQUEST ( integer )
      • REQUEST variables. (not implemented yet in Php5)
  • Filter Options
    • FILTER_FLAG_NONE ( integer )
      • No flags.
    • FILTER_REQUIRE_SCALAR ( integer )
      • Flag used to require scalar as input Scalar variables are those containing an integer, float, string or boolean. Types array, object and resource are not scalar.
  • Filter Options
    • FILTER_REQUIRE_ARRAY ( integer )
      • Require an array as input.
    • FILTER_FORCE_ARRAY ( integer )
      • Always returns an array.
    • FILTER_NULL_ON_FAILURE ( integer )
      • Use NULL instead of FALSE on failure.
  • Filter Options
    • FILTER_VALIDATE_INT ( integer )
      • ID of &quot;int&quot; filter.
    • FILTER_VALIDATE_BOOLEAN ( integer )
      • ID of &quot;boolean&quot; filter.
    • FILTER_VALIDATE_FLOAT ( integer )
      • ID of &quot;float&quot; filter.
  • Filter Options
    • FILTER_VALIDATE_REGEXP ( integer )
      • ID of &quot;validate_regexp&quot; filter.
    • FILTER_VALIDATE_URL ( integer )
      • ID of &quot;validate_url&quot; filter.
    • FILTER_VALIDATE_EMAIL ( integer )
      • ID of &quot;validate_email&quot; filter.
  • Filter Options
    • FILTER_VALIDATE_IP ( integer )
      • ID of &quot;validate_ip&quot; filter.
    • FILTER_DEFAULT ( integer )
      • ID of default (&quot;string&quot;) filter.
    • FILTER_UNSAFE_RAW ( integer )
      • ID of &quot;unsafe_raw&quot; filter.
    • FILTER_SANITIZE_STRING ( integer )
      • ID of &quot;string&quot; filter.
  • Filter Options
    • FILTER_SANITIZE_STRIPPED ( integer )
      • ID of &quot;stripped&quot; filter.
    • FILTER_SANITIZE_ENCODED ( integer )
      • ID of &quot;encoded&quot; filter.
    • FILTER_SANITIZE_SPECIAL_CHARS ( integer )
      • ID of &quot;special_chars&quot; filter.
    • FILTER_SANITIZE_EMAIL ( integer )
      • ID of &quot;email&quot; filter.
  • Filter Options
    • FILTER_SANITIZE_URL ( integer )
      • ID of &quot;url&quot; filter.
    • FILTER_SANITIZE_NUMBER_INT ( integer )
      • ID of &quot;number_int&quot; filter.
    • FILTER_SANITIZE_NUMBER_FLOAT ( integer )
      • ID of &quot;number_float&quot; filter.
    • FILTER_SANITIZE_MAGIC_QUOTES ( integer )
      • ID of &quot;magic_quotes&quot; filter.
  • Filter Options
    • FILTER_CALLBACK ( integer )
      • ID of &quot;callback&quot; filter.
    • FILTER_FLAG_ALLOW_OCTAL ( integer )
      • Allow octal notation (0[0-7]+) in &quot;int&quot; filter.
    • FILTER_FLAG_ALLOW_HEX ( integer )
      • Allow hex notation (0x[0-9a-fA-F]+) in &quot;int&quot; filter.
    • FILTER_FLAG_STRIP_LOW ( integer )
      • Strip characters with ASCII value less than 32.
  • Filter Options
    • FILTER_FLAG_STRIP_HIGH ( integer )
      • Strip characters with ASCII value greater than 127.
    • FILTER_FLAG_ENCODE_LOW ( integer )
      • Encode characters with ASCII value less than 32.
    • FILTER_FLAG_ENCODE_HIGH ( integer )
      • Encode characters with ASCII value greater than 127.
    • FILTER_FLAG_ENCODE_AMP ( integer )
      • Encode &.
  • Filter Options
    • FILTER_FLAG_NO_ENCODE_QUOTES ( integer )
      • Don't encode ' and &quot;.
    • FILTER_FLAG_EMPTY_STRING_NULL ( integer )
      • (No use for now.)
    • FILTER_FLAG_ALLOW_FRACTION ( integer )
      • Allow fractional part in &quot;number_float&quot; filter.
  • Filter Options
    • FILTER_FLAG_ALLOW_THOUSAND ( integer )
      • Allow thousand separator (,) in &quot;number_float&quot; filter.
    • FILTER_FLAG_ALLOW_SCIENTIFIC ( integer )
      • Allow scientific notation (e, E) in &quot;number_float&quot; filter.
    • FILTER_FLAG_SCHEME_REQUIRED ( integer )
      • Require scheme in &quot;validate_url&quot; filter.
  • Filter Options
    • FILTER_FLAG_HOST_REQUIRED ( integer )
      • Require host in &quot;validate_url&quot; filter.
    • FILTER_FLAG_PATH_REQUIRED ( integer )
      • Require path in &quot;validate_url&quot; filter.
    • FILTER_FLAG_QUERY_REQUIRED ( integer )
      • Require query in &quot;validate_url&quot; filter.
  • Filter Options
    • FILTER_FLAG_IPV4 ( integer )
      • Allow only IPv4 address in &quot;validate_ip&quot; filter.
    • FILTER_FLAG_IPV6 ( integer )
      • Allow only IPv6 address in &quot;validate_ip&quot; filter.
    • FILTER_FLAG_NO_RES_RANGE ( integer )
      • Deny reserved addresses in &quot;validate_ip&quot; filter.
    • FILTER_FLAG_NO_PRIV_RANGE ( integer )
      • Deny private addresses in &quot;validate_ip&quot; filter.
  • Filter Definitions
    • ID: FILTER_VALIDATE_INT
    • Options: min_range, max_range
    • Flags: FILTER_FLAG_ALLOW_OCTAL , FILTER_FLAG_ALLOW_HEX
    • Description: Validates value as integer, optionally from the specified range.
  • Filter Definitions
    • ID: FILTER_VALIDATE_BOOLEAN
    • Flags: FILTER_NULL_ON_FAILURE
    • Description: Returns TRUE for &quot;1&quot;, &quot;true&quot;, &quot;on&quot; and &quot;yes&quot;, FALSE for &quot;0&quot;, &quot;false&quot;, &quot;off&quot;, &quot;no&quot;, and &quot;&quot;, NULL otherwise.
  • Filter Definitions
    • ID: FILTER_VALIDATE_FLOAT
    • Flags: FILTER_FLAG_ALLOW_THOUSAND
    • Description: Validates value as float.
  • Filter Definitions
    • ID: FILTER_VALIDATE_REGEXP
    • Options: regexp
    • Description: Validates value against regexp, a Perl-compatible regular expression.
  • Filter Definitions
    • ID: FILTER_VALIDATE_URL
    • Flags: FILTER_FLAG_PATH_REQUIRED , FILTER_FLAG_QUERY_REQUIRED
    • Description: Validates value as URL, optionally with required components.
  • Filter Definitions
    • ID: FILTER_VALIDATE_EMAIL
    • Description: Validates value as e-mail.
  • Filter Definitions
    • ID: FILTER_VALIDATE_IP
    • Flags: FILTER_FLAG_IPV4 , FILTER_FLAG_IPV6 , FILTER_FLAG_NO_PRIV_RANGE , FILTER_FLAG_NO_RES_RANGE
    • Description: Validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges.
  • Filter Definitions
    • ID: FILTER_SANITIZE_STRING
    • Flags: FILTER_FLAG_NO_ENCODE_QUOTES , FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_LOW , FILTER_FLAG_ENCODE_HIGH , FILTER_FLAG_ENCODE_AMP
    • Description: Strip tags, optionally strip or encode special characters.
  • Filter Definitions
    • ID: FILTER_SANITIZE_STRIPPED
    • Alias of FILTER_SANITIZE_STRING .
  • Filter Definitions
    • ID: FILTER_SANITIZE_ENCODED
    • Flags: FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_LOW , FILTER_FLAG_ENCODE_HIGH
    • Description: URL-encode string, optionally strip or encode special characters .
  • Filter Definitions
    • ID: FILTER_SANITIZE_SPECIAL_CHARS
    • Flags: FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_HIGH
    • Description: HTML-escape '&quot;<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.
  • Filter Definitions
    • ID: FILTER_UNSAFE_RAW
    • Flags: FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_LOW , FILTER_FLAG_ENCODE_HIGH , FILTER_FLAG_ENCODE_AMP
    • Description: Do nothing, optionally strip or encode special characters.
  • Filter Definitions
    • ID: FILTER_SANITIZE_EMAIL
    • Description: Remove all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[].
  • Filter Definitions
    • ID: FILTER_SANITIZE_URL
    • Description: Remove all characters except letters, digits and $-_.+!*'(),{}|~[]`<>#%&quot;;/?:@&=.
  • Filter Definitions
    • ID: FILTER_SANITIZE_NUMBER_INT
    • Description: Remove all characters except digits and +-.
  • Filter Definitions
    • ID: FILTER_SANITIZE_NUMBER_FLOAT
    • Flags: FILTER_FLAG_ALLOW_FRACTION , FILTER_FLAG_ALLOW_THOUSAND , FILTER_FLAG_ALLOW_SCIENTIFIC
    • Description: Remove all characters except digits, +- and optionally .,eE.
  • Filter Definitions
    • ID: FILTER_SANITIZE_MAGIC_QUOTES
    • Description: Apply addslashes() .
  • Filter Definitions
    • ID: FILTER_CALLBACK
    • Options: callback function or method
    • Description: Call user-defined function to filter data.
  •  
  • Remind: filter_* Functions
    • filter_has_var  -- Checks if variable of specified type exists
    • filter_id  -- Returns the filter ID belonging to a named filter
    • filter_input_array  -- Gets multiple variables from outside PHP and optionally filters them
    • filter_input  -- Gets variable from outside PHP and optionally filters it
    • filter_list  -- Returns a list of all supported filters
    • filter_var_array  -- Gets multiple variables and optionally filters them
    • filter_var   -- Filters a variable with a specified filter
    • Description: Checks if variable of specified type exists
    • Usage: bool filter_has_var ( int type , string variable_name )
    filter_has_var
  • Example
    • filter_has_var(INPUT_GET,'searchstr');
    • is equivalent to
    • isset($_GET['searchstr'])
    • Description: Returns the filter ID belonging to a named filter
    • Usage: int filter_id ( string filtername )
    filter_id
    • Description: Returns a list of all supported filters
    • Usage: array filter_list ( void )
    filter_list
    • Description: Gets variable from outside PHP and optionally filters it
    • Usage: mixed filter_input ( int type, string variable_name [, int filter [, mixed options ]] )
    filter_input
    • filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
    • filter_input (INPUT_GET, 'number',FILTER_VALIDATE_INT,
    • array(
    • 'flags' => FILTER_FLAG_ARRAY,
    • 'options' => array('min_range' => 1, 'max_range' => 10)
    • )
    • );
    Example
    • Description: Gets multiple variables from outside PHP and optionally filters them
    • Usage: mixed filter_input_array ( int type [, mixed definition] )
    filter_input_array
    • /* Let's say: data come from POST as follows:*/ $_POST = array(     'visitor_name'  => 'MgMg',     'visitor_email'  => 'mgmg@gmail.com',     'visitor_url'      => 'http://myanmar.com');
    Example
    • We can write filter rules like:
    • $visitor_sanitized_rules = array(
    • 'visitor_name'   => FILTER_SANITIZE__SPECIAL_CHARS, 'visitor_email'    => FILTER_VALIDATE_EMAIL,
    • 'visitor_url'     => FILTER_VALIDATE_URL );
    Example
    • Then, we can implement like:
    • $visitor_inputs = filter_input_array(
    • INPUT_POST,  $visitor_sanitized_rules
    • );
    Example
  • No Real Difference!
    • filter_input(_array)
    • Vs
    • filter_var(_array)
    • are totally same.
    • Description: Filters a variable with a specified filter
    • Usage: mixed filter_var ( mixed variable [, int filter [, mixed options]] )
    filter_var
    • filter_var($_POST['visitor_name'], FILTER_SANITIZE_SPECIAL_CHARS);
    • filter_var($_POST['visitor_email'], FILTER_VALIDATE_EMAIL);
    • filter_var($_POST['visitor_url'], FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED);
    Example
    • Description: Gets multiple variables and optionally filters them
    • Usage: mixed filter_var_array ( array data [, mixed definition] )
    filter_var_array
    • /* Same as before. No big difference:*/ $visitor_data  = array(     'visitor_name'  => 'MgMg',     'visitor_email'  => 'mgmg@gmail.com',     'visitor_url'      => 'http://myanmar.com');
    Example
    • We can write filter rules like:
    • $visitor_sanitized_rules = array(
    • 'visitor_name'   => FILTER_SANITIZE__SPECIAL_CHARS, 'visitor_email'    => FILTER_VALIDATE_EMAIL,
    • 'visitor_url'     => FILTER_VALIDATE_URL );
    Example
    • Then, we can implement like:
    • $visitor_inputs = filter_input_array(
    • $visitor_data ,  $visitor_sanitized_rules
    • );
    Example
    • Last But Not Least,
    • Did you notice two things lack in Filter_* Functions ?
  • First ..
    • Have to filter twice for some cases like:
    • $email = $_GET['email'];
    • $email =
    • filter_var($email,FILTER_VALIDATE_EMAIL);
    • $email =
    • filter_var($email,FILTER_SANITIZE_EMAIL);
  • Second …
    • No Charset Conversion
    • Functions!
    • Do-It-Yourself Exercise! 
    • Thank You!
  • Reference
    • PHP 5.25 Manual