$30 off During Our Annual Pro Sale. View Details »

Filtering Tainted Data: ext/filter vs. Zend_Filter (IPC 2006)

Ben Ramsey
PRO
November 08, 2006
Programming
0
150

Filtering Tainted Data: ext/filter vs. Zend_Filter (IPC 2006)

All input should be considered tainted. The question is: how do we filter it to ensure that the input received is the input expected? This talk will examine the PECL Input Filter extension and the Zend_InputFilter class from the Zend Framework, comparing and contrasting their approaches to filtering input. We'll consider examples of both techniques and see how they work to ensure that the data we receive is safe to use.

Ben Ramsey
PRO

November 08, 2006
Tweet

More Decks by Ben Ramsey

See All by Ben Ramsey
Internationalization & Localization With PHP (Longhorn PHP 2023)
ramsey
PRO
0
72
Let's Build a Composer Package (Longhorn PHP 2023)
ramsey
PRO
0
82
Put a UUID On It! (php[tek] 2023)
ramsey
PRO
0
110
Cool Tools for PHP Development (php[tek] 2023)
ramsey
PRO
0
140
Cool Tools for PHP Development (Nashville PHP April 2023)
ramsey
PRO
0
11
Cool Tools for PHP Development (MergePHP January 2022)
ramsey
PRO
1
400
Cool Tools for PHP Development (php[MiNDS] August 2021)
ramsey
PRO
0
60
Cool Tools for PHP Development (Essex Web July 2021)
ramsey
PRO
0
36
Cool Tools for PHP Development (PHPUGMRN June 2021)
ramsey
PRO
0
730

Other Decks in Programming

See All in Programming
壓力測試大冒險:解鎖應用程式的隱藏性能之謎
marcustung
0
140
if 式と switch 式による SwiftUI のプレビューエラー対策
ojun9
1
100
[Helvetic Ruby 2023] Profiling Ruby tests with Swiss precision
palkan
0
290
DIGGLEの分析基盤アーキテクチャ
zakky21
0
100
Kaggle-Vesuvius-Challenge-Ink-Detection-2nd-Solution
mipypf
0
530
Flutter アプリにおけるテスト戦略の見直しと自動テストの導入
ostk0069
1
2k
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
410
Cloudflare Workers は楽しい!
codehex
7
2.1k
OpenMPW 2023 技術ぽい理解
ryos36
0
150
ユーザー登録とログインフォームにautocomplete属性を使いましょう
ivanova1991
2
1.5k
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
58k
Prepare for Jakarta EE 11
ivargrimstad
0
1.3k

Featured

See All Featured
A designer walks into a library…
pauljervisheath
199
18k
The World Runs on Bad Software
bkeepers
PRO
59
6.1k
The Brand Is Dead. Long Live the Brand.
mthomps
48
6k
Music & Morning Musume
bryan
38
5.2k
Docker and Python
trallard
31
2.4k
For a Future-Friendly Web
brad_frost
168
8.4k
Statistics for Hackers
jakevdp
787
220k
KATA
mclloyd
13
11k
The Cost Of JavaScript in 2023
addyosmani
9
3k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
How STYLIGHT went responsive
nonsquared
89
4.5k
The MySQL Ecosystem @ GitHub 2015
samlambert
241
11k

Transcript

  1. Filtering Tainted Data:
    ext/filter vs. Zend_Filter
    Ben Ramsey
    International PHP Conference
    8 November 2006

    View Slide

  2. Welcome
    • BenRamsey.com
    • I work for
    Art & Logic, Inc.
    • PHP 5 Certification
    Study Guide author
    • Organizer of Atlanta
    PHP user group
    2

    View Slide

  3. Overview
    • Filtering Input
    • Zend_Filter_Input
    • ext/filter
    • Filtering Tips
    3

    View Slide

  4. Filtering Input
    4

    View Slide

  5. Why Filter Input?
    5
    • Input comes from everywhere
    • You cannot control the origin of input
    • They’re sending all kinds of input
    • Thus, you can’t trust the data
    • You don’t want to accept bad or incorrect
    data

    View Slide

  6. What Is Filtering?
    • Data inspection process
    • By which you validate input according to
    your data model
    • You can choose to accept or reject the
    input if it doesn’t match your model
    6

    View Slide

  7. Where To Filter?
    • Client-side?
    • All client-side filtering can be circumvented
    • Server-side?
    • Best place to filter; not so user-friendly
    • Both?
    • Client-side provides good user experience
    • Server-side ensures good data
    7

    View Slide

  8. Filtering Methodologies
    • Blacklist filtering
    • Whitelist filtering
    • Sanitizing data
    8

    View Slide

  9. Blacklist Filtering
    • Negative filtering
    • “I know what data I don’t want to allow”
    • Block input based on a list of unacceptable
    values
    • Must continually add to this list as you
    discover new unacceptable values
    9

    View Slide

  10. Whitelist Filtering
    • Positive filtering
    • “I know what data I do want to allow”
    • Accept input based on a list of acceptable
    values
    • Benefit: you always know what you want to
    accept
    10

    View Slide

  11. Sanitizing
    • Lenient “filtering”
    • Two approaches:
    • Blacklist: “I’ll accept everything and strip out
    what I don’t want”
    • Whitelist: “I’ll accept everything and extract
    only what I do want”
    • Though the input is sanitized, it may not
    be good data
    11

    View Slide

  12. Filtering Practices
    • Opt-in filtering
    • Opt-out filtering
    12

    View Slide

  13. Opt-In Filtering
    • All input is unfiltered to begin with
    • You choose when you want to filter data
    • Nothing to stop you or your development
    team from using unfiltered data
    • Typical approach is to filter input from
    $_GET and $_POST and store it back to
    these variables or a new variable
    13

    View Slide

  14. Opt-Out Filtering
    • Everything is filtered by default
    • No access to unfiltered data except by
    choice
    • No accidental usage of $_GET, $_POST, etc.
    • You must make a conscious decision to opt-
    out of the filtering and get raw data
    14

    View Slide

  15. Enforce Opt-out Filtering
    • Ensures that you and your development
    team cannot accidently access unfiltered
    input
    • Must consciously decide to use raw data
    • PHP does not do this by default, nor does
    Zend_Filter_Input or ext/filter
    • I’ll show you how
    15

    View Slide

  16. Zend_Filter_Input
    16

    View Slide

  17. Zend_Filter_Input Philosophy
    17
    • Filter from the application level
    • Opt-out filtering
    • Not enforced by default
    • Whitelist filtering
    • Provides sanitizing methods, if desired

    View Slide

  18. Quick Example
    18

    View Slide

  19. Set Up Opt-out Environment
    19

    View Slide

  20. Method Types
    • no*() methods
    • Blacklist sanitizers
    • get*() methods
    • Whitelist sanitizers
    • test*() methods
    • Whitelist filters
    20

    View Slide

  21. no*() Methods
    • noPath() — returns basename(value)
    • noTags() — strips all tags from value
    21

    View Slide

  22. get*() Methods
    • getAlnum() — returns only alphanumeric chars
    • getAlpha() — returns only alphabetic chars
    • getDigits() — returns only digits
    • getDir() — returns dirname(value)
    • getInt() — returns (int) value
    • getPath() — returns realpath(value)
    • getRaw() — returns original value (opt-out)
    22

    View Slide

  23. test*() Methods
    • testAlnum()
    • testAlpha()
    • testBetween()
    • testCcnum()
    • testDate()
    • testDigits()
    • testEmail()
    23

    View Slide

  24. test*() Methods
    • testFloat()
    • testGreaterThan()
    • testHex()
    • testHostname()
    • testInt()
    • testIp()
    • testLessThan()
    24

    View Slide

  25. test*() Methods
    • testName()
    • testOneOf()
    • testPhone()
    • testRegex()
    • testZip()
    25

    View Slide

  26. Extended Example
    • Typical form that asks for information
    • Use Zend_Filter_Input to filter the values
    for the following types of data:
    • name == alphabetic string
    age == integer with min and max
    website == valid URL format
    e-mail == valid e-mail format
    color == one of red, blue, or green
    26

    View Slide

  27. 27
    form.html

    View Slide

  28. 28
    FormController.php

    View Slide

  29. ext/filter
    29

    View Slide

  30. ext/filter Philosophy
    30
    • Filter from the PHP level
    • Opt-in filtering
    • Does provide a default filter setting, though
    • Whitelist and sanitizing filters

    View Slide

  31. Quick Example
    31

    View Slide

  32. Configuration
    • Two php.ini settings for ext/filter
    • filter.default = unsafe_raw
    • filter.default_flags =
    • My personal wish: a third setting for
    enforcing an opt-out environment
    32

    View Slide

  33. Set Up Opt-out Environment
    33

    View Slide

  34. Functions Available
    • filter_input()
    • filter_input_array()
    • filter_var()
    • filter_var_array()
    • filter_has_var()
    • filter_list(), filter_id()
    34

    View Slide

  35. filter_input()
    • Basic usage:
    • filter_input(type, name, [filter, [options]])
    • Type == Location of input
    • Name == Name of input variable to get
    • Filter == Filter to apply
    • Options == Associative array of options
    35

    View Slide

  36. Types
    • INPUT_GET
    • INPUT_POST
    • INPUT_COOKIE
    • INPUT_SERVER
    • INPUT_ENV
    • INPUT_SESSION (not yet implemented)
    • INPUT_REQUEST (not yet implemented)
    36

    View Slide

  37. Whitelist Filters
    • FILTER_VALIDATE_INT
    • FILTER_VALIDATE_BOOLEAN
    • FILTER_VALIDATE_FLOAT
    • FILTER_VALIDATE_REGEXP
    • FILTER_VALIDATE_URL
    • FILTER_VALIDATE_EMAIL
    • FILTER_VALIDATE_IP
    37

    View Slide

  38. Whitelist Sanitizers
    • FILTER_SANITIZE_STRING
    • FILTER_SANITIZE_STRIPPED
    • FILTER_SANITIZE_EMAIL
    • FILTER_SANITIZE_URL
    • FILTER_SANITIZE_NUMBER_INT
    • FILTER_SANITIZE_NUMBER_FLOAT
    38

    View Slide

  39. Escaping Sanitizers
    • FILTER_SANITIZE_ENCODED
    • FILTER_SANITIZE_SPECIAL_CHARS
    • FILTER_SANITIZE_MAGIC_QUOTES
    39

    View Slide

  40. Opting Out
    • FILTER_UNSAFE_RAW
    • FILTER_CALLBACK
    40

    View Slide

  41. Extended Example
    • Same form as earlier
    • Use ext/filter to filter the values for the
    same type of data as used earlier:
    • name == alphabetic string
    age == integer with min and max
    website == valid URL format
    e-mail == valid e-mail format
    color == one of red, blue, or green
    41

    View Slide

  42. 42
    form.html

    View Slide

  43. 43
    process.php

    View Slide

  44. 44
    process.php

    View Slide

  45. 45
    process.php

    View Slide

  46. Filtering Tips
    • Use a whitelist approach
    • Force the use of your filter (don’t directly
    use $_GET, $_POST, $_COOKIE, etc.)
    • Implement an opt-out strategy
    • Set register_long_arrays = Off in php.ini
    46

    View Slide

  47. Summary
    • Zend_Filter_Input provides an OO interface
    and many built-in methods for all types of
    data
    • ext/filter requires more thought and
    planning, but provides filtering directly in
    the PHP engine
    • Both still need some improvement
    47

    View Slide

  48. Slides & Further Reading
    http://benramsey.com/archives/ipc06-slides/
    And on the Conference CD-ROM
    48

    View Slide