All geek questions in one place

When do you trust data / variables

We all know that all user data is GET / POST / Cookie, etc. etc. must be checked for safety.

But when you stop, as soon as it is converted to a local variable?

eg,

if (isValidxxx($_GET['foo']) == false) { throw InvalidArgumentException('Please enter a valid foo!'); } $foo = $_GET['foo']; fooProcessor($foo); function fooProcessor($foo) { if (isValidxxx($foo) == false) { throw Invalid...... } //other stuff }

For me it's on top. But what if you load the value from the database ...

Hope I make sense :)

+4
source share
4 answers

The key point is that external (user) input to your program cannot be trusted and must be checked before use. It does not matter if this entry is obtained from a web form, a configuration file, or a user-accessible database. The user of your code can always indicate garbage values, either maliciously or accidentally. But once the check has occurred, it makes no sense to repeat the check of the values ​​- you must trust your own components.

A database under the sole control of your code can be seen as just another component of your trusted system. Values ​​in such a database are not subject to verification if you have no reason to believe that they can be damaged due to external circumstances. For example, you can check the values ​​transmitted over the network.

+2
source

You think too much about it.

Confirm everything that needs to be checked (i.e. all user input) once in the code path, at a point that is sufficiently late where it cannot be changed by the user in the same server session.

It doesn't matter when. Just be consistent and do whatever you need to get your code read and maintained.

+1
source

Super Globals such as $ _GET, $ _POST, $ _COOKIE or $ _SERVER CANNOT be changed by the user during the script. Once your script loads this. Therefore, you only need to check them once when they enter. Doing this more than once makes no sense and spends CPU time.

0
source

To answer your question, $ _GET and $ _POST should never be trusted . However, this is not a vulnerability until a variable is used. If you print print($_GET[xss]) , then you have an xss vulnerability. If you insert this variable into the database and then print it (for example, a forum post), you have saved xss , which is even worse.

You need to better understand the mentality of the attackers. Variables like $ _GET are taint sources, function calls like print() and mysql_query() are sinks . A hacker is looking for sinks that he can influence spoiled variables. There are many receivers in php, and I recommend reading this black paper (or red paper regardless of its confidence, not white ...). Be sure to read the section on programming in the language.

0
source

Source: https://habr.com/ru/post/1310578/

More articles:


All Articles