For some Open Source (GPL licensed) programs that I am
working on, I am trying to create some PHP routines for data
handling with good security.
The routines I have created for this are given below and I
would like these reviewed for security problems or other
problems that they may have.
My requirements are as follows:
1) The data needs to be made safe for placing into a SQL
statement for use with a Mysql database as well as being
safe to take out of the database and sent to a web page.
2) All work in making the data safe should be done on entry
to the database. Display of query listings is time critical
while data entry is not. Consequently, I prefer for
htmlspecialchars() or similar operations to be done before
data is entered into the database, not after.
3) Some fields have the requirement that they need to allow
the user to include a limited subset of simple html tags.
The user will not be allowed to use any parameters within
these tags. (Note. Code below only shows a few tags. With
final code I will add use of tables and lists etc)
4) Being Free Open Source it must be easily implemented on a
wide range of environments
My initial attempt at making routines to handle this is as
follows:
//The manual is ambiguous and nobody seems to know exactly
// what magic_quotes_runtime does so it is better to set it
// to off.
set_magic_quotes_runtime(0);
// Internal function used to start making the data safe.
function start_make_safe($in_string){
$in_string = isset($in_string) ? trim($in_string) : "";
// Allow this to work regardless of the setting of
// magic_quotes_gps
if (get_magic_quotes_gpc()){
$in_string = stripslashes($in_string);
}
// Stop tags being disguised with \0
return str_replace("\0", '', $in_string);
}
// Internal function used as part of making data safe.
function more_make_safe($in_string){
// Stop tricks of the type "<sc<script>ipt>"
// which if <script> was removed would still leave <script>
while ($in_string != strip_tags($in_string)){
$in_string = strip_tags($in_string);
}
//Replace new lines or linefeeds with <br>
global $linefeeds;
if ($linefeeds == "Y"){
$in_string =
preg_replace("/\r\n|\n\r|\n|\r/","<br>",$in_string);
}
// Allow this to be used in both PHP 5 and most of PHP 4.
return (function_exists(mysql_real_escape_string) ?
mysql_real_escape_string($in_string)
: mysql_escape_string($in_string));
//Note: If LIKE, GRANT, or REVOKE is used in the mysql
// statement then we need to also escape '%' and '_'
// as these are used for wildcards.
}
function make_html_safe($in_string){
$in_string = start_make_safe($in_string);
//change simple tags <br> </b> etc to {{br}} {{/b}} etc
$allowed =
'/<(\/?br)>|<(\/?p)>|<(\/?b)>|<(\/?i)>|<(\/?u)>|<(\/?h[1-5])>/i';
$in_string =
preg_replace($allowed, '{{$1$2$3$4$5$6}}', $in_string);
$in_string = more_make_safe($in_string);
$in_string = htmlentities($in_string, ENT_QUOTES);
//replace simple tags
$allowed =
'/{{(\/?br)}}|{{(\/?p)}}|{{(\/?b)}}|{{(\/?i)}}|{{(\/?u)}}|{{(\/?h[1-5
])}}/i';
return preg_replace($allowed, '<$1$2$3$4$5$6>', $in_string);
}
function make_URL_safe($in_string){
$in_string = more_make_safe(start_make_safe($in_string));
// Try to stop people using any tag or tag completion.
// Note that an '=' and '&' is allowed within the URL.
// Can't use htmlentities as it replaces the '&' symbol.
return (preg_replace("/>|</", "", $in_string));
}
function make_safe($in_string){
$in_string = more_make_safe(start_make_safe($in_string));
return htmlentities($in_string, ENT_QUOTES);
}
// Use of the above routines will be through the use
// of calls similar to the following:
$sql = sprintf ('INSERT INTO mytable (name, userwww,
phone, longdesc, useremail) values
("%s", "%s", "%s", "%s", "%s")'
, make_safe($_POST['name'])
, make_URL_safe($_POST['user_URL'])
, make_safe($_POST['phone_num'])
, make_html_safe($_POST['long_descript'])
, make_safe($_POST['user_email']));
$query = 'SELECT * FROM mytable WHERE name = "'
. make_safe($_POST['name']) . '"';
I have made some simple checks to ensure that the above
functions appear to work.
I would like the above reviewed for any security problems
that they may have or any other problems that it may cause
when placed out in the wild. Any suggestions welcome!
Thank you for your help
Ken Dawber
