[NBLUG/talk] PHP help...

Chris Palmer chris at eff.org
Mon Apr 24 09:42:26 PDT 2006


Todd Cary writes:

> Though I have been creating php programs for several years (some high
> profile), I am quite sure my programming style could be greatly
> improved.  Are there any resources in the North Bay where one could
> get some hands on help?

Style is important, but not as important as substance.  :)  The biggest
problem I see with PHP programs is a lack of input and output
validation, leading to SQL injection, shell injection, filesystem
traversal, cross-site scripting and other security, correctness and
reliability bugs.

For every single input to your program (every single query parameter,
both POST and GET), you need to define a function that checks the
validity of the input datum.  Sometimes you can repair a malformed input
(e.g. eliminating spaces in an otherwise correct credit card number),
but usually you should simply raise an exception and refuse to continue
processing.  For example, if $user_id is supposed to be a decimal number
between 0 and 65,535, don't try to continue if you get "bob" or
"0xDEADBEEF".

To make this validation as easy as possible, it's necessary to have all
validation functions in one module, and to call them all on all the
input in one place.  On my personal blog I wrote a note about one way to
do this in Python, but adapting the technique to PHP is trivial.  You
might not be able to subclass PHP's array type as I do for Python's
dictionary type, but you'll get the point:

http://www.noncombatant.org/nb.cgi/view/blog/2006/03/18/1


-- 
http://www.eff.org/about/staff/#chris_palmer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://nblug.org/pipermail/talk/attachments/20060424/b4be2fa7/attachment.pgp


More information about the talk mailing list