The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 19, 2019, 02:11:55 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: PHP Address forms... please check my security...  (Read 2148 times)
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« on: May 02, 2009, 01:12:43 PM »

Hey all - I'm knee deep in some new retail sites and doing, yet again, address collection and storage.

Of course this means that I'm accepting text from users and touching the database, so I've reworked my cleansing process a bit and would like for any comments on places I may be missing. Bear in mind that I must accept all char encodings and foreign language characters, unknown forms of zips, states, etc.

Important point - I check everything on the client side before I send it as well - so I can reliably know that if I receive anything other than a 2-capital letter code for a state (US address) then I know I am being hacked, as an example. If a client is using the form correctly, everything comes up in a very known format. This is pretty much to grab the bonehead that is hitting me with something other than what my form produces.

Here is a portion of the POST method (php) that runs before I construct the SQL to drop it into a database:

Code:
<?php

$salutation 
$_POST['salutation'];
if (
$salutation)
if (!preg_match('/^(M|D)(r|s)[s]{0,1}\.$/'$salutation)) 
die('Hack attempt.');

$fname nameCaps(substr(trim(preg_replace('/[`~!@#$%^&*()_=+\{\[\}\]<>\/\?]/'''$_POST['fname'])), 048));
$lname nameCaps(substr(trim(preg_replace('/[`~!@#$%^&*()_=+\{\[\}\]<>\/\?]/'''$_POST['lname'])), 048));
$addr1 nameCaps(substr(trim(preg_replace('/[`~!@#$%^&*()_=+\{\[\}\]<>\/\?]/'''$_POST['addr1'])), 064));
$addr2 nameCaps(substr(trim(preg_replace('/[`~!@#$%^&*()_=+\{\[\}\]<>\/\?]/'''$_POST['addr2'])), 064));
$city nameCaps(substr(trim(preg_replace('/[`~!@#$%^&*()_=+\{\[\}\]<>\/\?]/'''$_POST['city'])), 048));
$country $_POST['country'];
if (!
preg_match('/^[A-Z]{2}$/'$country)) die('Hack Attempt');
if (
$country == 'US')
{
$state $_POST['country'];
if (!preg_match('/^[A-Z]{2}$/'$state)) die('Hack Attempt');
$zip $_POST['zip'];
if ((!preg_match('/^[0-9]{5}$/'$zip)) and (!preg_match('/^[0-9]{5}[^0-9]{1}[0-9]{4}$/'$zip))) die('Hack Attempt');
} else {
$state nameCaps(substr(trim(preg_replace('/[`~!@#$%^&*()_=+\{\[\}\]<>\/\?]/'''$_POST['state'])), 048));
$zip strtoupper(substr(trim(preg_replace('/[`~!@#$%^&*()_=+\{\[\}\]<>\/\?]/'''$_POST[''])), 016));
}

?>


Any thoughts appreciated!

/perk
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #1 on: May 02, 2009, 01:17:32 PM »

Good, but the regexes make my eyes bleed.

Why not

Code:
<?php
if (!preg_match('/^\w{2}$/'$state)) die('Hack Attempt');

?

You're probably going to say "because \w includes 0-9", etc. which is irrelevant. No one can inject SQL with 0-9 and you should have constraints on your tables. Or whatever, maybe it's easier for you to read.

EDIT: Oh yeah it'd probably be good if I explained why you'd care so it doesn't sound like I'm being pedantic: The PCRE treats character class aliases as pre-stored literals but it has to calculate/parse what's between the []. Not a big deal but if you are running that many PCRE-reliant functions it will be significant.
« Last Edit: May 02, 2009, 01:20:15 PM by vsloathe » Logged

hai
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #2 on: May 02, 2009, 01:20:10 PM »

You're correct VS - I forget what the special char codes are, so I read a more literal type of regex more easily. And you're right, I'd pay big money to see someone SQL inject me with just [A-Z0-9]{2} Wink
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #3 on: May 02, 2009, 01:21:39 PM »

EDIT: Oh yeah it'd probably be good if I explained why you'd care so it doesn't sound like I'm being pedantic: The PCRE treats character class aliases as pre-stored literals but it has to calculate/parse what's between the []. Not a big deal but if you are running that many PCRE-reliant functions it will be significant.

Hmmmm... that's the first argument that I've heard that's significant enough for me to re-evaluate my continual code forgetfulness. Thanks meng, have to give that some consideration.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #4 on: May 02, 2009, 01:22:48 PM »

Quick reference from VSloathe's Head:

\w = [0-9A-Za-z]
\W = [^0-9A-Za-z]

\d = [0-9]
\D = [^0-9]

\s = whitespace
\S = not whitespace. I use \S a lot.
Logged

hai
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #5 on: May 02, 2009, 01:26:59 PM »

Handy, and few enough for me to stop being a bonehead about it.

Cheers V.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #6 on: May 02, 2009, 08:39:48 PM »

this is part of the reason why I convert strings to hex in app where I really need to make certain of security.
I dont then care at all about the content of the string.
then with numbers I convert to int.
with floats, same.
with dates, same.

or at least test them as valid, numeric/date.

but for raw text, hex is bulletproof i think?
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!