[NBLUG/talk] PHP help...

Todd Cary todd at aristesoftware.com
Mon Apr 24 23:11:23 PDT 2006


Chris -

Thank you for the suggestions; especially and about checking the input.  
Some years ago when I was taking a graduate course in CS, the instructor 
said that 80% of code is written to eliminate or prevent data errors.

Todd

Chris Palmer wrote:
> Todd Cary writes:
>
>   
>> Though I have been creating php programs for several years (some high
>> profile), I am quite sure my programming style could be greatly
>> improved.  Are there any resources in the North Bay where one could
>> get some hands on help?
>>     
>
> Style is important, but not as important as substance.  :)  The biggest
> problem I see with PHP programs is a lack of input and output
> validation, leading to SQL injection, shell injection, filesystem
> traversal, cross-site scripting and other security, correctness and
> reliability bugs.
>
> For every single input to your program (every single query parameter,
> both POST and GET), you need to define a function that checks the
> validity of the input datum.  Sometimes you can repair a malformed input
> (e.g. eliminating spaces in an otherwise correct credit card number),
> but usually you should simply raise an exception and refuse to continue
> processing.  For example, if $user_id is supposed to be a decimal number
> between 0 and 65,535, don't try to continue if you get "bob" or
> "0xDEADBEEF".
>
> To make this validation as easy as possible, it's necessary to have all
> validation functions in one module, and to call them all on all the
> input in one place.  On my personal blog I wrote a note about one way to
> do this in Python, but adapting the technique to PHP is trivial.  You
> might not be able to subclass PHP's array type as I do for Python's
> dictionary type, but you'll get the point:
>
> http://www.noncombatant.org/nb.cgi/view/blog/2006/03/18/1
>
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>   

-- 
Ariste Software
2200 D Street Ext
Petaluma, CA 94952
(707) 773-4523




More information about the talk mailing list