All geek questions in one place

How to prevent SQL Injection attack in applications programmed in Zend Framework?

I have no idea about ZF security. Should I use a filter when working in a database? Maybe binding is enough? How about this:

$users->update($data, 'id=1');

Should I filter the data array somehow? Feel free to write everything you know about the problem.

Could you give some links to good articles about security in ZF (mainly about SQL Injection and XSS)?

+4
source share
4 answers

Short answer
While ZF takes and provides some measures to protect your application, you should apply the same precautions that you will use without the Zend Framework.

For the code snippet, check out the Zend_Db chapter in the Reference Guide :

By default, values ​​in your dataset are inserted using parameters. This reduces the risk of some security issues. You do not need to apply escaping or quoting values ​​in a data array.

This does not mean that you do not need to worry about security. For example, for the update method above

The third argument is a string containing an SQL expression that is used as criteria for the rows that need to be changed. Values ​​and identifiers in this argument are not quoted or escaped. You are responsible for ensuring that any dynamic content is interpolated to this line safely. See Quoting values ​​and identifiers for methods to help you do this.

Note , since you are using Zend_Db_Table , obviously the third argument is the second argument. Internally, the table instance delegates the call to the db adapter, with the first parameter being the display name of the table instance.

Regarding Zend_View and XSS attack vectors:

Zend_View comes with an initial set of helper classes, most of which relate to the formation of a form element and automatically exit accordingly.

Again, most of them do not mean all. Zend_View provides Zend_View :: escape () to help you sanitize the output, but this is nothing special.

+5
source

The same concept applies to the Zend Framework and to any other web application / library / anyone that manages user data:

Always check user input. Do not believe one.

If you expect a string, make sure you get the string. This can be done using framework libraries (for example, in this case you use the Zend framework) or manually implement the verification functions.

Validation should ALWAYS be performed on the server side. Client side validation should also be present to provide a better user interface.

In the case of Zend, please refer to the validation page from the manual.

+2
source

Binding should prevent SQL injection, but it does nothing to prevent XSS. You should always filter your data as needed, and when reflecting output in a view, you should avoid anything that could be dangerous.

 echo $this->escape($this->foo);
+1
source

I suggest using Zend Filters where you need something specific. You can use this anywhere in your application.

Request Parameter

 $alpha = new Zend_Filter_Alpha(); $name = $alpha -> filter($this -> _request -> getParam('name')); //while processing url parameters

Database

 $int = new Zend_Filter_Int(); $select -> where("id = ?", $int -> filter($id)); //during db processing also

Also in form elements. I will skip this as an example of this can be found unobtrusively.

+1
source

Source: https://habr.com/ru/post/1302967/

More articles:


All Articles