Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Canicalization Of User Input In PHP

from [warnings] Network Security [Permanent Link]
Subject: Canicalization Of User Input In PHP
Date: Sun, 16 Jan 2005 22:40:11 -0800
I am working on implementing a basic PHP user input validation scheme
and have come across several references to canonicalizing input before
performing validation. After researching this topic on the net I have finally
reached a point where I feel okay asking for help.

At this point I have found a few basic functions related to this subject, but
I am getting lost in alphabet soup (UTF-8, RFC 2279, ISO 10646, ...) and
I am reaching a momentary saturation point where I am finding the learning
curve is only getting steeper with the more I learn.

For the basic validation I have found the following set of PHP filters via the
owasp.org site.

http://www.owasp.org/software/labs/phpfilters.html
// sanitize.inc.php
// Sanitization functions for PHP
// by: Gavin Zuchlinski, Jamie Pratt, Hokkaido
// webpage: http://libox.net
// Last modified: December 21, 2003

Now these functions are fairly clear and easy to understand and have
generally validated what I have come to understand as best practices.
as I have experience with fault tolerant coding, just not security. But, the
issue I am having trouble coming to terms with is canonicalization of the data.
Beyond the above routines, I have also found the urldecode() function in
the PHP manual.

At this point I feel (weakly, not securely) that one should use the following
to canonicalize the data prior to validating any input.

reset($_GET);
foreach($_GET as $key => $value){
   // Transform to canonical form.
   $ckey = my_utf8_decode(urldecode($key));
   $cvalue = my_utf8_decode(urldecode($value));
   if( $ckey != sanitize_paranoid_string($ckey) ||
           $cvalue != sanitize_paranoid_string($cvalue) ){
       header('location:www.somesight.net/index.php');
   }
}

I understand this example is simplistic, but is this a proper way
to canonicalize the input values?  Or am I missing something here?

Should I be looking at the following too?

$_SERVER['CONTENT_TYPE'] == 'application/x-www-form-urlencoded'

Is this data even trustworthy? I would at first guess think it could be forged in
the header data.

Any input would be appreciated.

thanks,

Sean

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SQL injection, Francesco
Next by Date:  Re: Proposal to anti-phishing, Rogan Dawes
Previous by Thread:  Announcing: OWASP AppSec Europe 2005, April 9-10, Jeff Williams
Next by Thread:  Re: Canicalization Of User Input In PHP, Paul Johnston
Indexes:  [Date] [Thread] [Top] [All Lists]