[ZendTo] Re: unconditional use of stripslashes, missing backslashes.

Jules Jules at Zend.To
Sun Feb 5 16:44:56 GMT 2012 

Agreed. I have a feeling there are still one or two places in the code 
that don't use prepared statements. I should just go through these and 
fix them.

If I send you a version with only prepared statements, and no calls to 
stripslashes, can you do a proper security audit of the resulting system 
for me please?

Anyone out there got any tools for specifically security-proving 
websites based on PHP?

Jules.

On 03/02/2012 17:37, Joerg Streibhardt wrote:
>
> Hi Julian,
>
> from a security perspective the use of stripslashes is a bad idea.
>
> The magic quotes feature adds these backslashes to escape the 
> "dangerous" characters (i.e. ') for database use.
>
> Basically it's a weak version of what sqlite_escape_string et al are 
> doing and stripslashes reverts this.
>
> If the intention is to remove all backslashes, stripslashes is 
> definately not the right function. All that's required to defeat it is 
> using two backslashes for one to remain.
>
> As for the expected need: In our case it'll probably be about every 
> second drop-off as users will be asked to upload a file in some more 
> or less arbitrary directory for analysis.
>
> To recap: stripslashes does nothing to improve security, all it does 
> is decrease security if *_escape_string is forgotten, magic_quotes is 
> either on or off.
> Additionally it'll  garble user input if magic_quotes off (which is 
> the default for new installs).
>
> Cheers
> Jörg
>
> Am 03.02.2012 18:12 schrieb "Jules" <Jules at zend.to 
> <mailto:Jules at zend.to>>:
>
>     How often do people need to put in backslashes? Versus the danger of
>     missing an instance of escaping-based injection because of not
>     removing
>     them? I would personally prefer to play safe.
>
>     If we can *guarantee* that it won't lessen security *at all*, then we
>     can not remove all backslashes.
>
>     Jules.
>
>     On 03/02/2012 16:49, Joerg Streibhardt wrote:
>     > Hi Jules
>     >
>     > my first real user informed me that the backslashes he typed
>     into the
>     > message were removed.
>     > After looking around for a bit I noticed that most if not all
>     > instances of stripslashes are called whether PHP added those "magic
>     > quotes" or not.
>     >
>     > Unfortunately I'm unable to globally enable magic quotes and the
>     > manual states that:
>     >
>     >> This feature has been DEPRECATED as of PHP 5.3.0. Relying on
>     this feature is highly discouraged.
>     >>
>     http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
>     > I've changed the setting locally for ZendTo by adding
>     >> php_flag magic_quotes_gpc on
>     > in the apache-configuration for<Directory /opt/zendto/www/>.
>     >
>     > I think stripslashes should only be used if get_magic_quotes_gpc()
>     > returns true. Removing it altogether is probably not a good idea at
>     > this time.
>     >
>     > What do you think?
>     >
>     > Cheers
>     > Jörg
>     >
>     > _______________________________________________
>     > ZendTo mailing list
>     > ZendTo at zend.to <mailto:ZendTo at zend.to>
>     > http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>     Jules
>
>     --
>     Julian Field MEng CITP CEng
>     www.Zend.To <http://www.Zend.To>
>
>     Follow me at twitter.com/JulesFM <http://twitter.com/JulesFM>
>     PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>     'It's okay to live without all the answers' - Charlie Eppes, 2011
>     'All programs have a desire to be useful' - Tron, 1982
>     'That is the land of lost content,
>      I see it shining plain,
>      The happy highways where I went,
>      And cannot come again.' - A.E. Houseman
>
>
>     _______________________________________________
>     ZendTo mailing list
>     ZendTo at zend.to <mailto:ZendTo at zend.to>
>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20120205/e7704e18/attachment.html

More information about the ZendTo mailing list