Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Filtering Tainted Data: ext/filter vs. Zend_Filter (IPC 2006)

Ben Ramsey
November 08, 2006

Filtering Tainted Data: ext/filter vs. Zend_Filter (IPC 2006)

All input should be considered tainted. The question is: how do we filter it to ensure that the input received is the input expected? This talk will examine the PECL Input Filter extension and the Zend_InputFilter class from the Zend Framework, comparing and contrasting their approaches to filtering input. We'll consider examples of both techniques and see how they work to ensure that the data we receive is safe to use.

Ben Ramsey

November 08, 2006
Tweet

More Decks by Ben Ramsey

Other Decks in Programming

Transcript

  1. Welcome • BenRamsey.com • I work for Art & Logic,

    Inc. • PHP 5 Certification Study Guide author • Organizer of Atlanta PHP user group 2
  2. Why Filter Input? 5 • Input comes from everywhere •

    You cannot control the origin of input • They’re sending all kinds of input • Thus, you can’t trust the data • You don’t want to accept bad or incorrect data
  3. What Is Filtering? • Data inspection process • By which

    you validate input according to your data model • You can choose to accept or reject the input if it doesn’t match your model 6
  4. Where To Filter? • Client-side? • All client-side filtering can

    be circumvented • Server-side? • Best place to filter; not so user-friendly • Both? • Client-side provides good user experience • Server-side ensures good data 7
  5. Blacklist Filtering • Negative filtering • “I know what data

    I don’t want to allow” • Block input based on a list of unacceptable values • Must continually add to this list as you discover new unacceptable values 9
  6. Whitelist Filtering • Positive filtering • “I know what data

    I do want to allow” • Accept input based on a list of acceptable values • Benefit: you always know what you want to accept 10
  7. Sanitizing • Lenient “filtering” • Two approaches: • Blacklist: “I’ll

    accept everything and strip out what I don’t want” • Whitelist: “I’ll accept everything and extract only what I do want” • Though the input is sanitized, it may not be good data 11
  8. Opt-In Filtering • All input is unfiltered to begin with

    • You choose when you want to filter data • Nothing to stop you or your development team from using unfiltered data • Typical approach is to filter input from $_GET and $_POST and store it back to these variables or a new variable 13
  9. Opt-Out Filtering • Everything is filtered by default • No

    access to unfiltered data except by choice • No accidental usage of $_GET, $_POST, etc. • You must make a conscious decision to opt- out of the filtering and get raw data 14
  10. Enforce Opt-out Filtering • Ensures that you and your development

    team cannot accidently access unfiltered input • Must consciously decide to use raw data • PHP does not do this by default, nor does Zend_Filter_Input or ext/filter • I’ll show you how 15
  11. Zend_Filter_Input Philosophy 17 • Filter from the application level •

    Opt-out filtering • Not enforced by default • Whitelist filtering • Provides sanitizing methods, if desired
  12. Method Types • no*() methods • Blacklist sanitizers • get*()

    methods • Whitelist sanitizers • test*() methods • Whitelist filters 20
  13. get*() Methods • getAlnum() — returns only alphanumeric chars •

    getAlpha() — returns only alphabetic chars • getDigits() — returns only digits • getDir() — returns dirname(value) • getInt() — returns (int) value • getPath() — returns realpath(value) • getRaw() — returns original value (opt-out) 22
  14. Extended Example • Typical form that asks for information •

    Use Zend_Filter_Input to filter the values for the following types of data: • name == alphabetic string age == integer with min and max website == valid URL format e-mail == valid e-mail format color == one of red, blue, or green 26
  15. ext/filter Philosophy 30 • Filter from the PHP level •

    Opt-in filtering • Does provide a default filter setting, though • Whitelist and sanitizing filters
  16. Configuration • Two php.ini settings for ext/filter • filter.default =

    unsafe_raw • filter.default_flags = • My personal wish: a third setting for enforcing an opt-out environment 32
  17. filter_input() • Basic usage: • filter_input(type, name, [filter, [options]]) •

    Type == Location of input • Name == Name of input variable to get • Filter == Filter to apply • Options == Associative array of options 35
  18. Types • INPUT_GET • INPUT_POST • INPUT_COOKIE • INPUT_SERVER •

    INPUT_ENV • INPUT_SESSION (not yet implemented) • INPUT_REQUEST (not yet implemented) 36
  19. Extended Example • Same form as earlier • Use ext/filter

    to filter the values for the same type of data as used earlier: • name == alphabetic string age == integer with min and max website == valid URL format e-mail == valid e-mail format color == one of red, blue, or green 41
  20. Filtering Tips • Use a whitelist approach • Force the

    use of your filter (don’t directly use $_GET, $_POST, $_COOKIE, etc.) • Implement an opt-out strategy • Set register_long_arrays = Off in php.ini 46
  21. Summary • Zend_Filter_Input provides an OO interface and many built-in

    methods for all types of data • ext/filter requires more thought and planning, but provides filtering directly in the PHP engine • Both still need some improvement 47