Filtering Tainted Data:ext/filter vs. Zend_Filter

Ben RamseyInternational PHP Conference

8 November 2006

Welcome

• BenRamsey.com

• I work for Art & Logic, Inc.

• PHP 5 CertificationStudy Guide author

• Organizer of AtlantaPHP user group

2

Overview

• Filtering Input

• Zend_Filter_Input

• ext/filter

• Filtering Tips

3

Filtering Input

4

Why Filter Input?

5

• Input comes from everywhere

• You cannot control the origin of input

• They’re sending all kinds of input

• Thus, you can’t trust the data

• You don’t want to accept bad or incorrect data

What Is Filtering?

• Data inspection process

• By which you validate input according to your data model

• You can choose to accept or reject the input if it doesn’t match your model

6

Where To Filter?

• Client-side?

• All client-side filtering can be circumvented

• Server-side?

• Best place to filter; not so user-friendly

• Both?

• Client-side provides good user experience

• Server-side ensures good data

7

Filtering Methodologies

• Blacklist filtering

• Whitelist filtering

• Sanitizing data

8

Blacklist Filtering

• Negative filtering

• “I know what data I don’t want to allow”

• Block input based on a list of unacceptable values

• Must continually add to this list as you discover new unacceptable values

9

Whitelist Filtering

• Positive filtering

• “I know what data I do want to allow”

• Accept input based on a list of acceptable values

• Benefit: you always know what you want to accept

10

Sanitizing

• Lenient “filtering”

• Two approaches:

• Blacklist: “I’ll accept everything and strip out what I don’t want”

• Whitelist: “I’ll accept everything and extract only what I do want”

• Though the input is sanitized, it may not be good data

11

Filtering Practices

• Opt-in filtering

• Opt-out filtering

12

Opt-In Filtering

• All input is unfiltered to begin with

• You choose when you want to filter data

• Nothing to stop you or your development team from using unfiltered data

• Typical approach is to filter input from $_GET and $_POST and store it back to these variables or a new variable

13

Opt-Out Filtering

• Everything is filtered by default

• No access to unfiltered data except by choice

• No accidental usage of $_GET, $_POST, etc.

• You must make a conscious decision to opt-out of the filtering and get raw data

14

Enforce Opt-out Filtering

• Ensures that you and your development team cannot accidently access unfiltered input

• Must consciously decide to use raw data

• PHP does not do this by default, nor does Zend_Filter_Input or ext/filter

• I’ll show you how

15

Zend_Filter_Input

16

Zend_Filter_Input Philosophy

17

• Filter from the application level

• Opt-out filtering

• Not enforced by default

• Whitelist filtering

• Provides sanitizing methods, if desired

Quick Example

18

Set Up Opt-out Environment

19

Method Types

• no*() methods

• Blacklist sanitizers

• get*() methods

• Whitelist sanitizers

• test*() methods

• Whitelist filters

20

no*() Methods

• noPath() — returns basename(value)

• noTags() — strips all tags from value

21

get*() Methods

• getAlnum() — returns only alphanumeric chars

• getAlpha() — returns only alphabetic chars

• getDigits() — returns only digits

• getDir() — returns dirname(value)

• getInt() — returns (int) value

• getPath() — returns realpath(value)

• getRaw() — returns original value (opt-out)

22

test*() Methods

• testAlnum()

• testAlpha()

• testBetween()

• testCcnum()

• testDate()

• testDigits()

• testEmail()

23

test*() Methods

• testFloat()

• testGreaterThan()

• testHex()

• testHostname()

• testInt()

• testIp()

• testLessThan()

24

test*() Methods

• testName()

• testOneOf()

• testPhone()

• testRegex()

• testZip()

25

Extended Example

• Typical form that asks for information

• Use Zend_Filter_Input to filter the values for the following types of data:

• name == alphabetic stringage == integer with min and maxwebsite == valid URL formate-mail == valid e-mail formatcolor == one of red, blue, or green

26

27

form.html

28

FormController.php

ext/filter

29

ext/filter Philosophy

30

• Filter from the PHP level

• Opt-in filtering

• Does provide a default filter setting, though

• Whitelist and sanitizing filters

Quick Example

31

Configuration

• Two php.ini settings for ext/filter

• filter.default = unsafe_raw

• filter.default_flags =

• My personal wish: a third setting for enforcing an opt-out environment

32

Set Up Opt-out Environment

33

Functions Available

• filter_input()

• filter_input_array()

• filter_var()

• filter_var_array()

• filter_has_var()

• filter_list(), filter_id()

34

filter_input()

• Basic usage:

• filter_input(type, name, [filter, [options]])

• Type == Location of input

• Name == Name of input variable to get

• Filter == Filter to apply

• Options == Associative array of options

35

Types

• INPUT_GET

• INPUT_POST

• INPUT_COOKIE

• INPUT_SERVER

• INPUT_ENV

• INPUT_SESSION (not yet implemented)

• INPUT_REQUEST (not yet implemented)

36

Whitelist Filters

• FILTER_VALIDATE_INT

• FILTER_VALIDATE_BOOLEAN

• FILTER_VALIDATE_FLOAT

• FILTER_VALIDATE_REGEXP

• FILTER_VALIDATE_URL

• FILTER_VALIDATE_EMAIL

• FILTER_VALIDATE_IP

37

Whitelist Sanitizers

• FILTER_SANITIZE_STRING

• FILTER_SANITIZE_STRIPPED

• FILTER_SANITIZE_EMAIL

• FILTER_SANITIZE_URL

• FILTER_SANITIZE_NUMBER_INT

• FILTER_SANITIZE_NUMBER_FLOAT

38

Escaping Sanitizers

• FILTER_SANITIZE_ENCODED

• FILTER_SANITIZE_SPECIAL_CHARS

• FILTER_SANITIZE_MAGIC_QUOTES

39

Opting Out

• FILTER_UNSAFE_RAW

• FILTER_CALLBACK

40

Extended Example

• Same form as earlier

• Use ext/filter to filter the values for the same type of data as used earlier:

• name == alphabetic stringage == integer with min and maxwebsite == valid URL formate-mail == valid e-mail formatcolor == one of red, blue, or green

41

42

form.html

43

process.php

44

process.php

45

process.php

Filtering Tips

• Use a whitelist approach

• Force the use of your filter (don’t directly use $_GET, $_POST, $_COOKIE, etc.)

• Implement an opt-out strategy

• Set register_long_arrays = Off in php.ini

46

Summary

• Zend_Filter_Input provides an OO interface and many built-in methods for all types of data

• ext/filter requires more thought and planning, but provides filtering directly in the PHP engine

• Both still need some improvement

47

Slides & Further Reading

http://benramsey.com/archives/ipc06-slides/

And on the Conference CD-ROM

48