PHP - Sanitize all data?

Question

Hi,

I am making a CMS which can be extended by third-party developers. In the past I have had problems with newbie developers ignoring security all together. When they put their modules on my website, they are potentially compromising users websites.

I want to create a globals object. This will overwrite all globals with a sanitized copy. This could cause issues, so this object will also provide an option to get unsanitized data.

This way, by default, developers could theoretically do something like this and it's effect wouldn't be as bad as it usually would be. (Obviously this would still potentially cause problems however tables won't be dropped and data won't be exposed.)

mysql_query("INSERT INTO users (`name`) VALUES ('{$_POST['name']}')");

This doesn't protect against developers who intentionally try to break things. However, it will help eliminate basic mistakes.

The end object would be accessed as follows.

$_POST['key']; // Provides Sanitized version of the post key.
$obj->post('key'); // Provides Sanitized version of the post key.
$obj->post_raw('key'); // Provide unsanitized version of the post key.

What do people think about this approach? Is there a proven 'escape all' function floating around that would achieve this?

Answer 1

You're basically talking about reimplementing magic_quotes_gpc. It didn't go that well when Zend did it.

The largest problems are 1) different forms of data protection are necessary for different contexts, and 2) if somebody is too much of a noob to do elementary data security, they're definitely too much of a noob to understand what data your auto-protection mechanism has been applied to and which it hasn't. (They will source data from places your mechanism does not and cannot touch; take this as a given.)

Answer 2

No, it's really difficult to have a generic sanitizing function. It's always use-specific. And let me thus recommend something else:

http://sourceforge.net/p/php7framework/wiki/input/

It basically overwrites the superglobals $_GET, $_POST with objects. This prevents raw access, and you get either notices or log errors if no appropriate filter is used. You still have to think about which filter to use, but at least this method can be used to coerce co-developers on spending a few seconds to give it a thought. Also it's really easy to apply:

 $_GET->text["comment"]

 mysql_query("SELECT '{$_REQUEST->sql[field]}'");

 $_POST->nocontrol->utf7->xss->text["text"];

It's also possible to predefine filter lists for specific input variable names. Or set a filter for all old array accesses with $_POST->xss->nocontrol->always(); It needs some getting used to, but it's really the simplest API possible and meant just for cases like you describe.

Answer 3

You may want to check out http://code.google.com/p/inspekt/ , which pretty much already does what you describe.

Answer 4

Security is a very complicate and delicate subject IMHO.

I'm not sure if you should even allow unsafe access to data. I'd make access only to sanitized contents, and also enforce use of prepared statements.

Answer 5

I'd much rather go through the pain of evaluating submitted components and setting up some kind of security feed as Wordpress has it. Otherwise you just bloat and slow down your system.