Sanity Checker
Hello,
A web application would receive a hell lot of data from the users which come from both GET and POST queries. Sometimes, we simply need to run a database query depending on the data received, as is, such as a object ID received from the URL or some sort of name entered into a form by the user.
Some databases report error on type of data received. For example, some of my pages work on GET queries wherein a resource id is supplied as an INTEGER in the URL such as localhost/systeminfo/system.php?systid=9 ; here '9' is the data which acts as an 'action variable'). The page then launches a Load request on the DB. If a user removes the variable (system.php?systid=) or changes it to a garbage value which is not acceptable (system.php?systid=9ver) then the database query fails (well at least on mine, using PostgreSQL) saying [Query failed: ERROR: invalid input syntax for integer: "9ver"]. In such cases, the application is vulnerable to attack. Same applies to the 'POST' data.
Such insane (not clean) data can actually result in accidental SQL injection attacks and/or allow intentional input validation or SQL injection attacks on the application. It is therefore needed that there be some 'Sanity' checker and/or 'Sanity' sanitizer in the framework. I am starting the work on the same and would create basic checks for following data types:
int, bool, array, float and string.
I am starting work on a 'QSanity' class with a 'Checker' method for now and it will make use of the builtin PHP functions for such checks and can be (yeah, it's not that important, but might be useful for someone!) extended later on so that basic load queries could make use of it to determine the sanity of variable before throwing it on database which might result in error, often exposing the database behind the scene (if you disagree, read more about SQL injection attack vectors). Also, advanced injection techniques are based on 'string' fields and HTMLPurifier can be put to use for filtering text for such cases (but that can be done later).
If you would have any ideas or suggestions related to this, you can tell them now. It will help the progress and save time and energy for me (and of course others).
Regards,
Vaibhav
Hi Vaib,
To prevent such behavior I use to enable the mod_rewrite extension on Apache. Later I configure the rewrite rule to obfuscate that dynamic URLs on the .httaccess file, and for more security I configure the 404 custom page to show a friendly "not found" when someone try to edit the URLs and access the data that is not allowed.
Anyway it would be great if your QSanity control can check the URLs on the tags, because when you use the mod_rewrite you have to pay some extra attention on the href property of that tags.
Regards,
JMI
I too have mod_rewrite installed on my system but I am not using it for now because I initially thought that it would not work with QLinkPaginator (although it does, and you get URLs like localhost/systems/systeminfo/12/?page=2). Still, if you take the URL i just mentioned, the "systeminfo/12/" part is usually what mod_rewrite would work upon and convert it to something like systeminfo.php?systid=12 or something like that. But it's not always the case. At times, there can be cases where mod_rewrite is not available (hosting environment restrictions) or an unsure availability of mod_rewrite is present. There may be cases where mod_rewrite rules are not too good. In such cases a Sanity checker can be helpful.
Also, there are times when a user inputs a data and you'e got to run a query on that input. For example, a user is asked to enter some name in a search box and (assuming he is either mistaking it, or is a malicious one,) he enters data which is going to be interpreted as 'binary' or 'unfit for the UTF-8 encoding' (or whatever be the encoding of the DB). Those cases are where mod_rewrite is effectively useless. Binary data injection is rare but is one of the ways to perform attacks on DBs; combined with SQL Injection, it's deadly.
Sanity checker I am trying to make is not a 'URL' checker, but a simple class which does the basic checks for any input recieved. For example, it will tell you whether the data received is of correct type or not and is within expected range. For example, if you are expecting to get an integer input between 0 and 1000 and the user starts playing and enters a negative value, you are at risk. More so, if he enters a 'string' in the box (with non-integer values) or enters 10000 by mistake, you might fall into problems given how your application is coded. There are a 1000 options.
A simple class might help you check the 'type' of data received and that it is within expected range. It might just evolve into some sort of 'purifier' as well, later on! Your opinions on this? Should I do it or should it be left out?