[ZendTo] Re: unconditional use of stripslashes, missing backslashes.
Jules
Jules at Zend.To
Tue Feb 7 09:30:50 GMT 2012
On 06/02/2012 10:05, Joerg Streibhardt wrote:
> Hi Jules,
>
> I'll do my best to check the source. Though I'm not aware of a
> dedicated software for an audit.
Looks like changing them all to prepared statements is going to be a
right pain due to gaping holes in the PHP 5.2 mysqli library. So for now
I have just been through every parameter to ensure it is properly
escaped. Hopefully that won't break anything! (I'll do some testing).
>
> Could you please replace the calls to stripslashes by a call to
> something else, say a global method
>
> zendToParamPrepare($value) {
> return get_magic_quotes_gpc()?stripslashes($value):$value;
> }
>
> called as "$paramValue = zendToParamPrepare($_GET['something']);"
>
> This way it'll keep working just fine on systems with magic quotes enabled.
Done.
Jules.
>
> Cheers
> Jörg
>
> On Sun, Feb 5, 2012 at 5:44 PM, Jules<Jules at zend.to> wrote:
>> Agreed. I have a feeling there are still one or two places in the code that
>> don't use prepared statements. I should just go through these and fix them.
>>
>> If I send you a version with only prepared statements, and no calls to
>> stripslashes, can you do a proper security audit of the resulting system for
>> me please?
>>
>> Anyone out there got any tools for specifically security-proving websites
>> based on PHP?
>>
>> Jules.
>>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
Jules
--
Julian Field MEng CITP CEng
www.Zend.To
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
I see it shining plain,
The happy highways where I went,
And cannot come again.' - A.E. Houseman
More information about the ZendTo
mailing list