Filtering Tainted Data: ext/filter vs. Zend_Filter (IPC 2006)

Embed

Start on current slide

Slide 1

Slide 1 text

Filtering Tainted Data: ext/filter vs. Zend_Filter Ben Ramsey International PHP Conference 8 November 2006

Slide 2

Slide 2 text

Welcome • BenRamsey.com • I work for Art & Logic, Inc. • PHP 5 Certification Study Guide author • Organizer of Atlanta PHP user group 2

Slide 3

Slide 3 text

Overview • Filtering Input • Zend_Filter_Input • ext/filter • Filtering Tips 3

Slide 4

Slide 4 text

Filtering Input 4

Slide 5

Slide 5 text

Why Filter Input? 5 • Input comes from everywhere • You cannot control the origin of input • They’re sending all kinds of input • Thus, you can’t trust the data • You don’t want to accept bad or incorrect data

Slide 6

Slide 6 text

What Is Filtering? • Data inspection process • By which you validate input according to your data model • You can choose to accept or reject the input if it doesn’t match your model 6

Slide 7

Slide 7 text

Where To Filter? • Client-side? • All client-side filtering can be circumvented • Server-side? • Best place to filter; not so user-friendly • Both? • Client-side provides good user experience • Server-side ensures good data 7

Slide 8

Slide 8 text

Filtering Methodologies • Blacklist filtering • Whitelist filtering • Sanitizing data 8

Slide 9

Slide 9 text

Blacklist Filtering • Negative filtering • “I know what data I don’t want to allow” • Block input based on a list of unacceptable values • Must continually add to this list as you discover new unacceptable values 9

Slide 10

Slide 10 text

Whitelist Filtering • Positive filtering • “I know what data I do want to allow” • Accept input based on a list of acceptable values • Benefit: you always know what you want to accept 10

Slide 11

Slide 11 text

Sanitizing • Lenient “filtering” • Two approaches: • Blacklist: “I’ll accept everything and strip out what I don’t want” • Whitelist: “I’ll accept everything and extract only what I do want” • Though the input is sanitized, it may not be good data 11

Slide 12

Slide 12 text

Filtering Practices • Opt-in filtering • Opt-out filtering 12

Slide 13

Slide 13 text

Opt-In Filtering • All input is unfiltered to begin with • You choose when you want to filter data • Nothing to stop you or your development team from using unfiltered data • Typical approach is to filter input from $_GET and $_POST and store it back to these variables or a new variable 13

Slide 14

Slide 14 text

Opt-Out Filtering • Everything is filtered by default • No access to unfiltered data except by choice • No accidental usage of $_GET, $_POST, etc. • You must make a conscious decision to opt- out of the filtering and get raw data 14

Slide 15

Slide 15 text

Enforce Opt-out Filtering • Ensures that you and your development team cannot accidently access unfiltered input • Must consciously decide to use raw data • PHP does not do this by default, nor does Zend_Filter_Input or ext/filter • I’ll show you how 15

Slide 16

Slide 16 text

Zend_Filter_Input 16

Slide 17

Slide 17 text

Zend_Filter_Input Philosophy 17 • Filter from the application level • Opt-out filtering • Not enforced by default • Whitelist filtering • Provides sanitizing methods, if desired

Slide 18

Slide 18 text

Quick Example 18

Slide 19

Slide 19 text

Set Up Opt-out Environment 19

Slide 20

Slide 20 text

Method Types • no*() methods • Blacklist sanitizers • get*() methods • Whitelist sanitizers • test*() methods • Whitelist filters 20

Slide 21

Slide 21 text

no*() Methods • noPath() — returns basename(value) • noTags() — strips all tags from value 21

Slide 22

Slide 22 text

get*() Methods • getAlnum() — returns only alphanumeric chars • getAlpha() — returns only alphabetic chars • getDigits() — returns only digits • getDir() — returns dirname(value) • getInt() — returns (int) value • getPath() — returns realpath(value) • getRaw() — returns original value (opt-out) 22

Slide 23

Slide 23 text

test*() Methods • testAlnum() • testAlpha() • testBetween() • testCcnum() • testDate() • testDigits() • testEmail() 23

Slide 24

Slide 24 text

test*() Methods • testFloat() • testGreaterThan() • testHex() • testHostname() • testInt() • testIp() • testLessThan() 24

Slide 25

Slide 25 text

test*() Methods • testName() • testOneOf() • testPhone() • testRegex() • testZip() 25

Slide 26

Slide 26 text

Extended Example • Typical form that asks for information • Use Zend_Filter_Input to filter the values for the following types of data: • name == alphabetic string age == integer with min and max website == valid URL format e-mail == valid e-mail format color == one of red, blue, or green 26

Slide 27

Slide 27 text

27 form.html

Slide 28

Slide 28 text

28 FormController.php

Slide 29

Slide 29 text

ext/filter 29

Slide 30

Slide 30 text

ext/filter Philosophy 30 • Filter from the PHP level • Opt-in filtering • Does provide a default filter setting, though • Whitelist and sanitizing filters

Slide 31

Slide 31 text

Quick Example 31

Slide 32

Slide 32 text

Configuration • Two php.ini settings for ext/filter • filter.default = unsafe_raw • filter.default_flags = • My personal wish: a third setting for enforcing an opt-out environment 32

Slide 33

Slide 33 text

Set Up Opt-out Environment 33

Slide 34

Slide 34 text

Functions Available • filter_input() • filter_input_array() • filter_var() • filter_var_array() • filter_has_var() • filter_list(), filter_id() 34

Slide 35

Slide 35 text

filter_input() • Basic usage: • filter_input(type, name, [filter, [options]]) • Type == Location of input • Name == Name of input variable to get • Filter == Filter to apply • Options == Associative array of options 35

Slide 36

Slide 36 text

Types • INPUT_GET • INPUT_POST • INPUT_COOKIE • INPUT_SERVER • INPUT_ENV • INPUT_SESSION (not yet implemented) • INPUT_REQUEST (not yet implemented) 36

Slide 37

Slide 37 text

Whitelist Filters • FILTER_VALIDATE_INT • FILTER_VALIDATE_BOOLEAN • FILTER_VALIDATE_FLOAT • FILTER_VALIDATE_REGEXP • FILTER_VALIDATE_URL • FILTER_VALIDATE_EMAIL • FILTER_VALIDATE_IP 37

Slide 38

Slide 38 text

Whitelist Sanitizers • FILTER_SANITIZE_STRING • FILTER_SANITIZE_STRIPPED • FILTER_SANITIZE_EMAIL • FILTER_SANITIZE_URL • FILTER_SANITIZE_NUMBER_INT • FILTER_SANITIZE_NUMBER_FLOAT 38

Slide 39

Slide 39 text

Escaping Sanitizers • FILTER_SANITIZE_ENCODED • FILTER_SANITIZE_SPECIAL_CHARS • FILTER_SANITIZE_MAGIC_QUOTES 39

Slide 40

Slide 40 text

Opting Out • FILTER_UNSAFE_RAW • FILTER_CALLBACK 40

Slide 41

Slide 41 text

Extended Example • Same form as earlier • Use ext/filter to filter the values for the same type of data as used earlier: • name == alphabetic string age == integer with min and max website == valid URL format e-mail == valid e-mail format color == one of red, blue, or green 41

Slide 42

Slide 42 text

42 form.html

Slide 43

Slide 43 text

43 process.php

Slide 44

Slide 44 text

44 process.php

Slide 45

Slide 45 text

45 process.php

Slide 46

Slide 46 text

Filtering Tips • Use a whitelist approach • Force the use of your filter (don’t directly use $_GET, $_POST, $_COOKIE, etc.) • Implement an opt-out strategy • Set register_long_arrays = Off in php.ini 46

Slide 47

Slide 47 text

Summary • Zend_Filter_Input provides an OO interface and many built-in methods for all types of data • ext/filter requires more thought and planning, but provides filtering directly in the PHP engine • Both still need some improvement 47

Slide 48

Slide 48 text

Slides & Further Reading http://benramsey.com/archives/ipc06-slides/ And on the Conference CD-ROM 48