Open-AudIT

list.php?name=Don%27t+Get+Angry!+2&view=systems_for_software&headline_addition=Don%27t+Get+Angry!+2&

someone forgot to add slashes

it's a tip, but for my own project i've got an init-script that runs first (doing all initial initalizations and checks). part of it is to addslashes to all $_GET and $_POST variables... I copied it from the PHPBB-script. It's also a good security precaution to avoid sql exploits.

We could do with better handling of slashes, so any ideas on this topic would be welcome.

I suspect we should make a function of all get and put, so we can better handle the nasties that life throws at them, but this would require a bit of a trawl through the code to ensure all of the gets and puts are fixed.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

These are the top lines in my init-script. Most of it I got from PHPBB2, I compared it with PHP3 a while ago, they reformatted it a bit, but most functionality is the same

[code]// Report all errors except E_NOTICE
error_reporting (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
error_reporting (E_ALL); //for debugging, COMMENT THIS LINE OUT WHEN LIVE

set_magic_quotes_runtime(0); // Disable magic_quotes_runtime

// Protect against GLOBALS tricks
if (isset($HTTP_POST_VARS['GLOBALS']) || isset($HTTP_POST_FILES['GLOBALS']) || isset($HTTP_GET_VARS['GLOBALS']) || isset($HTTP_COOKIE_VARS['GLOBALS']))
{
die('Houston, we\'ve got an problem');
}

// Protect against HTTP_SESSION_VARS tricks
if (isset($_SESSION) && !is_array($_SESSION))
{
die('Houston, we\'ve got an problem');
}

if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')
{
// PHP4+ path
$not_unset = array('$_GET', '$_POST', '$_COOKIE', '$_SERVER', '$_SESSION', '$_ENV', '$_POST');

// Not only will array_merge give a warning if a parameter
// is not an array, it will actually fail. So we check if
// HTTP_SESSION_VARS has been initialised.
if (!isset($_SESSION) || !is_array($_SESSION))
{
$_SESSION = array();
}

// Merge all into one extremely huge array; unset
// this later
$input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_SESSION, $_ENV, $_POST);

unset($input['input']);
unset($input['not_unset']);

while (list($var,) = @each($input))
{
if (!in_array($var, $not_unset))
{
unset($$var);
}
}

unset($input);
}

// addslashes to vars if magic_quotes_gpc is off
// this is a security precaution to prevent someone
// trying to break out of a SQL statement.
$get_magic_quotes_gpc = get_magic_quotes_gpc();

if ( ! get_magic_quotes_gpc() )
{

if ( is_array($_GET) ) //get_vars = page.php?var1=value&var2=value
{
foreach ( $_GET as $key => $value )
{
if ( is_array($key) )
{
foreach ( $key as $key2 => $value2 )
{
$_GET[$key][$key2] = addslashes($value2);
}
@reset($key);
}
else
{
//$key = addslashes($value);
$_GET[$key] = addslashes($value);
}
}
@reset($_GET);
}

if ( is_array($_POST) )
{
foreach ( $_POST as $key => $value )
{
if ( is_array($key) )
{
foreach ( $key as $key2 => $value2 )
{
$_POST[$key][$key2] = addslashes($value2);
}
@reset($key);
}
else
{
//$key = addslashes($value);
$_POST[$key] = addslashes($value);
}
}
@reset($_POST);
}

if ( is_array($_COOKIE) ) //through form
{
foreach ( $_COOKIE as $key => $value )
{
if ( is_array($key) )
{
foreach ( $key as $keyu2 => $value2 )
{
$_COOKIE[$key][$key2] = addslashes($value2);
}
@reset($key);
}
else
{
$key = addslashes($value);
}
}
@reset($_COOKIE);
}
}[/code]

the last part ensures that all $_GET, $_POST and $_COOKIE variables have slashes. In my scripts I never have to worry about them (except when echo-ing $_GET or $_POST values, you'll have to remove the slashes first ofcourse.