For security reasons we want to grab all the POST values and run them through a Universal Check before processing the POST. Is there such a Universal way of getting all POST values?
For example say we have: $_POST[‘fb1’] $_POST[‘bf2’] $_POST[‘cc3’] so on.
Is there a Php code which basically would work like:
As megazoid implies in his post, superglobal arrays like $_POST can be used like any other array can; it can be iterated over, it can be modified (considered bad form though).
So does the above code allows us to look inside of every POST?
FI, the reason we want to do this is to make sure a POST does not contain a Hack or MySQL injection in it.
As the ultimate Security check.
So if we see something like if $_POST[‘x’] has “SELECT passwrd FROM…” then we would know this is a Bad person and block their access.
Yes, it does, however you need to remember that in the megazoid’s foreach loop the $value may not be a string - it can also be an array with other values. It is possible for POST to contain a multidimensional array of values with many levels deep so you need to handle that in your code. Some ideas:
Make a recursive function to iterate through POST elements.
Flatten the array to a string (search for ‘flatten multidimensional array php’ will give you plenty of examples)
(easiest) Read raw POST data, which you can directly check for suspicious strings and you don’t have to use $_POST at all:
To be honest, this isn’t how you should handle this kind of security. Even something as simple as a single quote, which we use all the time in ordinary text, can mess with your SQL. Your ultimate check will almost certainly turn out to be not so ultimate. Plus, there are many more kinds of injection to think about. What if you need to use a user value in an email header? Or a system command? Or in HTML? Realistically, there’s no such thing as “the ultimate security check”. The better solution is to escape special characters. So if you’re outputting to HTML, then you escape characters special to HTML. If you’re forming a system command, then you escape shell characters. Email, escape MIME characters. And likewise for SQL, simply escape characters that are special to SQL (or in this special case, use a prepared statement).
Why is everyone so concerned about injection attacks. There are hundreds of other types of attack that can be caused by invalid data even where that data would not cause any injection issues for any of the thousands of different places the data could be used (each of which would require different escaping if the data can be jumbled with code).
If the data is being entered by the user then you should validate each $_POST field to ensure that garbage hasn’t been entered before passing the values any further into the code. Suppose you ask for someone’s age and they type in "twenty’ instead of 20 - you can’t rely on even legitimate users not entering something that could crash your script if you don’t validate what they enter.
Very good points about security in the posts above. But still what the OP wants to do is not entirely without merit. For example, it might be useful to scan POST data to gather data and statistics about attempts to break into the system. It’s interesting to see server logs, especially on busy sites, with all kinds to POST requests at different URLs trying to find a hole, most often hoping to find an installation of a popular framework and target its security hole - this happens very often nowadays. So if he scans POST data just to gather information and not as a means of security, then it’s perfectly fine.
LJ, yes to start with we want to see at POST data that the code will flag as being suspicious, so that we can look at them and see if there is any Pattern that we can for sure Code against.
But the more we look into this idea, the more complicated it seems to becoming.
However, the overall idea as a Security measure is valid.
I just wonder how many Sites, and whether Big sites, do already do this and what kind of results they got for it?