filtering tainted data: ext/filter vs. zend filter · ext/filter vs. zend_filter ben ramsey...
TRANSCRIPT
Filtering Tainted Data:ext/filter vs. Zend_Filter
Ben RamseyInternational PHP Conference
8 November 2006
Welcome
• BenRamsey.com
• I work for Art & Logic, Inc.
• PHP 5 CertificationStudy Guide author
• Organizer of AtlantaPHP user group
2
Overview
• Filtering Input
• Zend_Filter_Input
• ext/filter
• Filtering Tips
3
Filtering Input
4
Why Filter Input?
5
• Input comes from everywhere
• You cannot control the origin of input
• They’re sending all kinds of input
• Thus, you can’t trust the data
• You don’t want to accept bad or incorrect data
What Is Filtering?
• Data inspection process
• By which you validate input according to your data model
• You can choose to accept or reject the input if it doesn’t match your model
6
Where To Filter?
• Client-side?
• All client-side filtering can be circumvented
• Server-side?
• Best place to filter; not so user-friendly
• Both?
• Client-side provides good user experience
• Server-side ensures good data
7
Filtering Methodologies
• Blacklist filtering
• Whitelist filtering
• Sanitizing data
8
Blacklist Filtering
• Negative filtering
• “I know what data I don’t want to allow”
• Block input based on a list of unacceptable values
• Must continually add to this list as you discover new unacceptable values
9
Whitelist Filtering
• Positive filtering
• “I know what data I do want to allow”
• Accept input based on a list of acceptable values
• Benefit: you always know what you want to accept
10
Sanitizing
• Lenient “filtering”
• Two approaches:
• Blacklist: “I’ll accept everything and strip out what I don’t want”
• Whitelist: “I’ll accept everything and extract only what I do want”
• Though the input is sanitized, it may not be good data
11
Filtering Practices
• Opt-in filtering
• Opt-out filtering
12
Opt-In Filtering
• All input is unfiltered to begin with
• You choose when you want to filter data
• Nothing to stop you or your development team from using unfiltered data
• Typical approach is to filter input from $_GET and $_POST and store it back to these variables or a new variable
13
Opt-Out Filtering
• Everything is filtered by default
• No access to unfiltered data except by choice
• No accidental usage of $_GET, $_POST, etc.
• You must make a conscious decision to opt-out of the filtering and get raw data
14
Enforce Opt-out Filtering
• Ensures that you and your development team cannot accidently access unfiltered input
• Must consciously decide to use raw data
• PHP does not do this by default, nor does Zend_Filter_Input or ext/filter
• I’ll show you how
15
Zend_Filter_Input
16
Zend_Filter_Input Philosophy
17
• Filter from the application level
• Opt-out filtering
• Not enforced by default
• Whitelist filtering
• Provides sanitizing methods, if desired
Quick Example
18
Set Up Opt-out Environment
19
Method Types
• no*() methods
• Blacklist sanitizers
• get*() methods
• Whitelist sanitizers
• test*() methods
• Whitelist filters
20
no*() Methods
• noPath() — returns basename(value)
• noTags() — strips all tags from value
21
get*() Methods
• getAlnum() — returns only alphanumeric chars
• getAlpha() — returns only alphabetic chars
• getDigits() — returns only digits
• getDir() — returns dirname(value)
• getInt() — returns (int) value
• getPath() — returns realpath(value)
• getRaw() — returns original value (opt-out)
22
test*() Methods
• testAlnum()
• testAlpha()
• testBetween()
• testCcnum()
• testDate()
• testDigits()
• testEmail()
23
test*() Methods
• testFloat()
• testGreaterThan()
• testHex()
• testHostname()
• testInt()
• testIp()
• testLessThan()
24
test*() Methods
• testName()
• testOneOf()
• testPhone()
• testRegex()
• testZip()
25
Extended Example
• Typical form that asks for information
• Use Zend_Filter_Input to filter the values for the following types of data:
• name == alphabetic stringage == integer with min and maxwebsite == valid URL formate-mail == valid e-mail formatcolor == one of red, blue, or green
26
27
form.html
28
FormController.php
ext/filter
29
ext/filter Philosophy
30
• Filter from the PHP level
• Opt-in filtering
• Does provide a default filter setting, though
• Whitelist and sanitizing filters
Quick Example
31
Configuration
• Two php.ini settings for ext/filter
• filter.default = unsafe_raw
• filter.default_flags =
• My personal wish: a third setting for enforcing an opt-out environment
32
Set Up Opt-out Environment
33
Functions Available
• filter_input()
• filter_input_array()
• filter_var()
• filter_var_array()
• filter_has_var()
• filter_list(), filter_id()
34
filter_input()
• Basic usage:
• filter_input(type, name, [filter, [options]])
• Type == Location of input
• Name == Name of input variable to get
• Filter == Filter to apply
• Options == Associative array of options
35
Types
• INPUT_GET
• INPUT_POST
• INPUT_COOKIE
• INPUT_SERVER
• INPUT_ENV
• INPUT_SESSION (not yet implemented)
• INPUT_REQUEST (not yet implemented)
36
Whitelist Filters
• FILTER_VALIDATE_INT
• FILTER_VALIDATE_BOOLEAN
• FILTER_VALIDATE_FLOAT
• FILTER_VALIDATE_REGEXP
• FILTER_VALIDATE_URL
• FILTER_VALIDATE_EMAIL
• FILTER_VALIDATE_IP
37
Whitelist Sanitizers
• FILTER_SANITIZE_STRING
• FILTER_SANITIZE_STRIPPED
• FILTER_SANITIZE_EMAIL
• FILTER_SANITIZE_URL
• FILTER_SANITIZE_NUMBER_INT
• FILTER_SANITIZE_NUMBER_FLOAT
38
Escaping Sanitizers
• FILTER_SANITIZE_ENCODED
• FILTER_SANITIZE_SPECIAL_CHARS
• FILTER_SANITIZE_MAGIC_QUOTES
39
Opting Out
• FILTER_UNSAFE_RAW
• FILTER_CALLBACK
40
Extended Example
• Same form as earlier
• Use ext/filter to filter the values for the same type of data as used earlier:
• name == alphabetic stringage == integer with min and maxwebsite == valid URL formate-mail == valid e-mail formatcolor == one of red, blue, or green
41
42
form.html
43
process.php
44
process.php
45
process.php
Filtering Tips
• Use a whitelist approach
• Force the use of your filter (don’t directly use $_GET, $_POST, $_COOKIE, etc.)
• Implement an opt-out strategy
• Set register_long_arrays = Off in php.ini
46
Summary
• Zend_Filter_Input provides an OO interface and many built-in methods for all types of data
• ext/filter requires more thought and planning, but provides filtering directly in the PHP engine
• Both still need some improvement
47
Slides & Further Reading
http://benramsey.com/archives/ipc06-slides/
And on the Conference CD-ROM
48