Menu
▾
▴
Re: [WebERP-developers] Replicating slashes problem - escaping special chars for database insertion or HTML
|
From: icedlava <ice...@gm...> - 2013-11-27 16:40:36
|
It is in essence very simple to do but requires some work to get a clean consistent solution through the code base. And we should not use addslahes() and stripslahes(). Search on google there are lots of references: eg http://stackoverflow.com/questions/568995/best-way-to-defend-against-mysql-injection-and-cross-site-scripting http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php http://stackoverflow.com/questions/6399833/is-there-a-reason-why-i-need-to-use-stripslashes-for-user-submitted-data On 28 Nov 2013, at 0:57, Tim Schofield wrote: > Hi Jo, > > I meant I thought we had dealt with most instances. For instance > creating a sales order for smith's crisps does not generate this > error. I think the overwhelming majority of webERP scripts are of the > type: "Fill in a form, submit it and update the database". Fixing this > *seems* to be just a case of using stripslashes() on the item > description in the PO_Items.php script. > > This code in session.inc came about after a security review by Steve > Lord many years ago, and I would be very nervous about taking it out. > > Thanks > Tim > > On 27 November 2013 12:30, icedlava <ice...@gm...> wrote: >> Hi Tim, >> >>> thought we had caught and dealt with these >> >> We caught an instance but I knew at the time it required a broader fix >> but was unable to identify best way ahead for it. >> >> I have raised the issue some time ago with Phil but not had time until >> now to look at the code and had a better look today. >> >>> Can you give some >>> examples of where it is still happening? >> >> Perhaps you can try replicate - it could be text with special char in >> any text field that is submitted in a form, a displayed value or input >> value that has some e.g. post var, get var or session var submitted to >> the database (some specific instances in the code have been addressed >> and fixed like you mentioned). >> >> I will try and provide an example: >> >> 1. Create an item with an item description such as "Smith's Chips" >> 2. Place a purchase order and select the item for your order. >> 3. At the PO_items.php function, with the line item for the order >> selected, click on Update Order lines and watch the description. You >> should get more slashes each time you click the Update Order lines >> button. >> >> I think, that we cannot assume in the sessions.inc file that we are >> going to add/update a post or get or session var to a database at first >> instance - it could be displayed only, it could be used in an input post >> field etc >> >> - when we save to the database call the relevant function e.g. >> mysqli_real_escape_string on non-html entity string (in weberp this is >> the DB_escape_string function but should be nonentity string e.g. use >> htmlspecialchars_decode not htmlspecialchars). >> >> - when we display in HTML use htmlspecialchar call to encode to entities >> where relevant. >> >> Anyway this is just some issue i came across a while ago and now >> revisiting in hope we can squash it for good - maybe someone has a >> solution already. >> >> Cheers! >> >> >> >> >> On 27 Nov 2013, at 18:57, Tim Schofield wrote: >> >>> Hi Jo, >>> >>> I thought we had caught and dealt with these. Can you give some >>> examples of where it is still happening? >>> >>> Thanks >>> Tim >>> >>> On 27 November 2013 06:57, iced lava <ice...@gm...> wrote: >>>> Currently we have sessions.inc processing all session, post and get >>>> vars in >>>> the same way. >>>> >>>> We make a big assumption here with DB_escape_string at line 59 and 66 >>>> (for >>>> single var and slightly different for arrays): >>>> >>>> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue); >>>> >>>> This assumes that we know what a function will do with the >>>> post/get/sessions >>>> vars and that they are going to be inserted/updated to a database. >>>> They are >>>> passed to the DB_escape_string function which returns (for mysqli): >>>> >>>> mysqli_real_escape_string($db, htmlspecialchars($String, >>>> ENT_COMPAT,'utf-8', >>>> false)); >>>> >>>> This is causing exponential slash addition to variables which are not >>>> entered to a database but instead posted to a HTML field value. Each >>>> time >>>> the field is updated the value is saved in the database with extra >>>> slashes >>>> when escaping a special char like a single quote. >>>> >>>> If we do actually need to do this variable processing in sessions.inc >>>> then >>>> perhaps we could decide what is more common displaying the var or >>>> insert/updating to a db. >>>> >>>> If we chose for example that displaying the var on the page is more >>>> common >>>> then we should change sessions inc for example on this line: >>>> >>>> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue) >>>> >>>> to >>>> $_POST[$PostVariableName]= htmlspecialchars($PostArrayValue, >>>> ENT_QUOTES,'UTF-8'); >>>> >>>> and for this case in DB_escape_string from: >>>> >>>> return mysqli_real_escape_string($db, htmlspecialchars($String, >>>> ENT_COMPAT,'utf-8', false)); >>>> to >>>> >>>> return mysqli_real_escape_string($db, >>>> htmlspecialchars_decode($String, >>>> ENT_COMPAT)); >>>> >>>> >>>> Then we need to call DB_escape_string on vars before we send to any >>>> insert >>>> or edit for database. >>>> >>>> On the other hand - we need to do the opposite if we assume it is >>>> more >>>> likely to post to the database. >>>> >>>> Perhaps there is another 3rd way to handle it? >>>> >>>> Thanks to all in advance for any feedback!! >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Rapidly troubleshoot problems before they affect your business. Most >>>> IT >>>> organizations don't have a clear picture of how application >>>> performance >>>> affects their revenue. With AppDynamics, you get 100% visibility into >>>> your >>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>>> AppDynamics >>>> Pro! >>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> >>> >>> >>> >>> -- >>> Course View Towers, >>> Plot 21 Yusuf Lule Road, >>> Kampala >>> T +256 (0) 312 314 418 >>> M +256 (0) 752 963 325 >>> www.weberpafrica.com >>> Twitter: @TimSchofield2 >>> Blog: http://weberpafrica.blogspot.co.uk/ >>> >>> ------------------------------------------------------------------------------ >>> Rapidly troubleshoot problems before they affect your business. Most >>> IT >>> organizations don't have a clear picture of how application >>> performance >>> affects their revenue. With AppDynamics, you get 100% visibility into >>> your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>> AppDynamics Pro! >>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > > -- > Course View Towers, > Plot 21 Yusuf Lule Road, > Kampala > T +256 (0) 312 314 418 > M +256 (0) 752 963 325 > www.weberpafrica.com > Twitter: @TimSchofield2 > Blog: http://weberpafrica.blogspot.co.uk/ > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
