search

Rothamsted-Ecoinformatics / eRA

e-RA website code
3 stars 0 forks source link

Preventing Injection #17

Closed nathcast closed 4 years ago

nathcast commented 4 years ago

Hi: the code depends on variables passed to subsequent pages via the URL. (so GET or POST? ) I know this could be prone to injection of malicious code and before all is released, I would like some help to check that code is secure. The following code is what PJV (verrier) wrote a few years ago. I am willing to have my code reviewed for weaknesses.

This code is a the top of every page and treats all the variables that are coming in. ` foreach ( $_GET as $sk => $sv ) { // stop injection // convert with htmlentities($userInput);

if (is_string ( $sv )) {
    $ftpPos = strpos ( strtolower ( $sv ), 'ftp:' );
    if ($ftpPos === false) {
        $$sk = htmlentities ( $sv );
    } else {
        // echo("<p>ftp found in parameter</p>");
        $_GET [$sk] = "";
        $area = "home";
        $page = "index";
    }
} elseif (is_array ( $sv )) {

    foreach ( $sv as $key => $value ) {
        $$sk [$key] = htmlentities ( $value );
    }
} else {

    $_GET [$sk] = "";
}
// end stop injection

}

foreach ( $_POST as $sk => $sv ) { // stop injection // convert with htmlentities($userInput);

if (is_string ( $sv )) {
    $ftpPos = strpos ( strtolower ( $sv ), 'ftp:' );
    if ($ftpPos === false) {

        $$sk = htmlentities ( $sv );
        // echo($sk . " : " . $$sk);
    }
} elseif (is_array ( $sv )) {

    foreach ( $sv as $key => $value ) {
        $$sk [$key] = htmlentities ( $value );
    }
} // end stop injection
else {
    // echo("<p>ftp found in parameter</p>");
    $_GET [$sk] = "";
}

}

`

richardostler commented 4 years ago

Emailed you as I don't think this discussion is appropriate for github - I'll create a new issue just to track the status of security work.