Sanatize super-globals variables before use. - Githubissues

eustasy / Phoenix

A lightweight BitTorrent Tracker written in PHP with an SQL backend.

MIT License

18 stars 6 forks source link

Sanatize super-globals variables before use. #16

Closed lewisgoddard closed 8 years ago

lewisgoddard commented 9 years ago

We will likely want to sanitize all the variables appropriately before we do anything else.

[x] List all variables
[x] Sanitize in new file
[x] De-duplicate sanitation
[x] Replace references

lewisgoddard commented 8 years ago

From phoenix.php#L33:

// TODO Sanatize everything
// once.input.sanatize.php
// IF BINARY
if (
    isset($_GET['info_hash']) &&
    strlen($_GET['info_hash']) == 20
) {
    $_GET['info_hash'] = bin2hex($_GET['info_hash']);
}
if (
    isset($_GET['peer_id']) &&
    strlen($_GET['peer_id']) == 20
) {
    $_GET['peer_id'] = bin2hex($_GET['peer_id']);
}
// END IF BINARY

lewisgoddard commented 8 years ago

We should replace all super-global references with ones similar to $Sanitized['GET']['info_hash']. $Sanitized should be SQL-safe. This will remove the need for sanitation within functions or before SQL queries.

lewisgoddard commented 8 years ago

once.input.sanatize.admin.php
once.input.sanatize.announce.php
once.input.sanatize.scrape.php
once.input.sanatize.tracker.php (both)

lewisgoddard commented 8 years ago

admin.php is done, I'm up to announce.php#L47

lewisgoddard commented 8 years ago

announce.php is done. Only scrape.php and it's associates to do.

lewisgoddard commented 8 years ago

Just de-duplication left. once.sanatize.tracker.php has two 20-bit binary or 40-bit hexadecimals that work the same.