PortalParts.com Site

Geeklog Developers Tool and Filtering Incoming Data Best Practices

Geeklog Topics

As developers, it's important that we protect our applications and data from all the possible attacks or hostile data that can be entered from a form, URL or Cookie as example. There is a golden rule to not trust any incoming data and only accept data in the expected format. In addition to just testing for numeric data or valid data, there are numerous attacks that we now need to defend against - these attacks include:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CRSF)
  • SQL Injection
  • SPAM attacks

Geeklog has always prided itself on a strong security focus. It can be a challenge keeping up with the latest exploit  but Geeklog provides common core functions for filtering incoming data, bad language as well as plugins for filter span and ban content from users or IP addresses. As developers, we can not always block or filter out all HTML - example a comment input. This is where it get's more complicated but Geeklog does provide a nice set of core functions to filter out un-wanted HTML, Javascript. Another complication for developers is handling quotes and other special characters.

There are many great resources on the internet that will explain in detail, web development, security and input filtering. The purpose of this article was to share a small script I wrote that can be used to test the various Geeklog library functions and PHP native functions on input data and the resulting effect. The test script can be seen here. You can enter any test data including bad language, html and javascript and test the effects of the various filtering options.

The [Test Data] link will insert some test data and then you can toggle on the various filters and php functions to see the result - both the raw data equivalent and the resulting displayed data. The test data includes a XSS attack where a javascript function is included which could be replaced with a script that executes a more serious exploit.

As Geeklog Developers, we make extensive use of COM_applyFilter which calls a number of the built-in functions to check for bad language, filter out Javascript and HTML as well as optionally only returning an integer value. All input variables should be filtered. There is a problem though if you need to except a quote as in "this is Blaine's test" - quotes are used by hackers to attempt a sql injection attack. So there are times as developers where we will need to combine some of the other manual functions.

We also need to escape any quotes before the data is inserted into the database. The PHP addslashes() does this for us but we need to check the PHP setting for magic_quotes is off ( a very unpopular feature where some servers may have this setting either way - and if On will automatically add slashes ' before all quotes - so in that case, we don't want to add another set of slashes. We also need to remove these slashes when we read the data back from the database and want to display the data - are we having fun yet.

If you need to allow quote's in your incoming data for this field, then you will want to call the PHP function htmlspecialchars($field_value) and if needed the addslashes() to convert the quotes and other special characters into equivalent HTML entities (symbols) that represent the character. This will prevent them from being interpreted and abused by a potential attacker but preserved for display.

You would also optionally call the other Geeklog functions to filter bad words, allowable HTML tags.

Geeklog is a great application development framework and I hope this test script is useful to other developers as your explore how best to filter your incoming data.

Trackback

Trackback URL for this entry: http://www.portalparts.com/trackback.php?id=20060325221307856

No trackback comments for this entry.
Geeklog Developers Tool and Filtering Incoming Data Best Practices | 1 comments | Anonymous Logout
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Geeklog Developers Tool and Filtering Incoming Data Best Practices
Authored by: bunkfilms on Wednesday, July 19 2006 @ 05:35 PM CDT
This article is a great starter.  I know we have talked in the past about some stuff I wanted to do with my web site and I've been learning from your plugins (I'm a paying customer of the quiz plugin) .  I agree that the Geeklog provides and excellent framework and I'm using it as the backbone for a talent database I'm developing. I didn't see a point in having to "redesign the wheel" and making my own security modules etc.  Granted, I'm still learning how to integrate everything, but I would be no where with out the geeklog site and your site. I also have to give props to your FAQ http://www.portalparts.com/faqman/index.php?op=view&t=7 which really opened up my eyes and made me understand more.  Right now, I'm learning how to take advantage of GeekLog's security utilizing custom groups and roles I create to access my talent database.   Thanks for the help!

---
Webmaster And Geeklog enthusiast