Archive for July, 2008

Jul
24
2008

PHP howto – Sanitize database inputs

When accepting data from a user, any data at all, it should be sanitized before making its way to your database.

What does this mean? Well, for one, you’re going to inspect the data and make sure that it doesn’t contain any malicious code such as ill-intentioned javascript.  Another is to prepare the data so that when it gets added to your insert/update SQL it doesn’t break the SQL (or do other nasty actions). Otherwise know as a SQL injection attack.

The technical details of the types of attacks we’re protecting against are a bit out of the scope of this post, but there are numerous resources available which will explain far better than I am able to.

After a form has been submitted (via get or post) it gets stored in the global array $_GET or $_POST.  Once we have this data, we can and should do a bunch of things to it, such as:

Stripping out malicious code

We’ll scan through the input, searching for anything that shouldn’t be there, like html code, <script> tags, etc.

<?
function cleanInput($input) {
 
$search = array(
    '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
    '@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
    '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
    '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
);
 
    $output = preg_replace($search, '', $input);
    return $output;
}
?>

’slashing

This part can sometimes get tricky, but not to worry, the code’s not too bad.  Basically we’re adding a backslash before any of the following: (single-quote), (double quote), \ (backslash) and NULL characters.  Depending on your server configuration, there are a bunch of ways of getting this done.  PHP has something called magic_quotes, which does this automatically.  Note, however, that as of PHP 6 this feature has been deprecated and removed.  Another PHP function, addslashes(), is the manual version of magic_quotes.  addslashes(”Where’s Wally”); will return “Where\’s Wally”.  A better option, if your server supports it, is mysql_real_escape_string().  It performs pretty much the same function, but is apparently better.

<?
function sanitize($input) {
    if (is_array($input)) {
        foreach($input as $var=>$val) {
            $output[$var] = sanitize($val);
        }
    }
    else {
        if (get_magic_quotes_gpc()) {
            $input = stripslashes($input);
        }
        $input  = cleanInput($input);
        $output = mysql_real_escape_string($input);
    }
    return $output;
}
?>

To use, we simply pass any input to the function. The function works on single strings, as well as deep arrays.

<?
$bad_string = "Hi! <script src='http://www.evilsite.com/bad_script.js'></script> It's a good day!";
 
$_POST = sanitize($_POST);
$_GET  = sanitize($_GET);
$good_string = sanitize($bad_string);
// $good_string returns "Hi! It\'s a good day!"
?>

Typecasting

Making sure that the data we’re inserting matches the expected type;  i.e, someone’s age should be received as an integer value, and not a string.

<?
$age = (int) $_GET['age'];
?>

This is a very gentle introduction to sanitizing your database input, and I would certainly recommend that you do a lot more research on these methods in order to use them correctly in your given environment.

That’s it for today. If you found this useful, of would like to improve it, comments are always appreciated!

Tags: , , , , , , , ,
Posted in php | 48 Comments »

Jul
14
2008

Update: Hunting for the ideal laptop

Pricing on the Dell Studio 17 is available. The Studio 17 looks like a great machine. The pricing is even better! It sells for less than the Vostro, looks nicer, and has more features. Awesome.

I’ve ordered the following:

Intel Core 2 Duo T9300 (2.5 GHz, 800 MHz FSB, 6 MB L2 Cache)
4096MB 667MHz Dual Channel DDR2 SDRAM [2x2048]
17.0″ Widescreen WUXGA+ CCFL (1920×1200) TFT Display with TrueLife
160GB Free Fall Sensor (7200RPM) Hard Drive
8X DVD+/-RW Drive
256MB ATI Mobility RADEON HD 3650
9-cell 87 WHr Lithium Ion battery
Biometric Fingerprint Reader
Wireless 1510 Half Mini Card (802.11n)
Wireless 370 Bluetooth Module
AVerMedia AVerTV Hybrid NanoExpress DVB-T TV Tuner
2.0 Mega pixel Integrated Web Camera
Travel Remote Control Express Card

I can’t wait for it to arrive!

Tags: , , , ,
Posted in General | 5 Comments »

Jul
11
2008

xkcd: A few favourites – Part 2

Tags: , , , , ,
Posted in General | 1 Comment »

Jul
10
2008

Sex sells.

Following my earlier post, titled ANASLEX, I did some monitoring.  My site traffic has spiked considerably.  This, based on a simple (intentional) misspelling.  Sure seems to be a lot of dyslexic folks out there looking for something other that Ana’s Lexus.

Tags: , , ,
Posted in General | 3 Comments »

Jul
09
2008

ANASLEX

So, who wants in?

For my truly dyslexic friends, that Ana’s Lex.  Get your minds out of the gutter.

Tags: , ,
Posted in General | 1 Comment »

Jul
07
2008

Dell’s customer service stinks.

I have been trying for the last 4 hours to speak to a human being at Dell.  I have tried the sales dept.  I have tried placing a new order.  I have tried customer service – all 4 sub-options.  I have tried accounts.  Damn, I even tried the section for government officials.  Dell’s telephone system is an inescapable abyss of incorrectly routed calls to dead lines, incorrect mailboxes and in one case, the sounds of dogs barking in the background.  I shit you not.

A sign of things to come?  If so, I will likely cancel my order and purchase my laptop elsewhere. (If I’m lucky enough to get through to them, that is)

Dell, please get your act together, sort out your telephone system and for the love of small animals, SOMEONE PHONE ME ABOUT MY ORDER.

Tags: , , ,
Posted in General | 5 Comments »

Jul
05
2008

xkcd: A few favourites – Part 1

 

Your IDE's colour may vary.

 

Tags: , , , ,
Posted in General | 4 Comments »

Jul
01
2008

Hunting for the ideal laptop

I am in the process of hunting for a laptop.  I’ve looked at countless offers from various vendors.  As with any purchase one makes, the usual barrage of “sweet deals” from every.single.person.you.know has accompanied the exercise.   Everyone and their uncle can get a great deal.   You gotta love capitalism. (Thank you, though – your offers served as good yard sticks)

The following specs have been the influencing factors:

CPU
Intel Core 2 Duo
- 2.2GHz or above. (Looking at around 2.5GHz)
- Preferably 800MHz FSB.
- Preferably 4MB+ cache.

Memory
2GB (1 x 2048)

Screen
17″ Wide.
- I don’t mind 1440×900 , though I would prefer larger (1680×1050) if it falls within budget, but this is not a “must”

GPU
I can live with the crappy Intel X3100, but would prefer an nVidia chipset.

HDD
Since I have a desktop with 1TB+, size not an issue, 250GB would be perfect, but 160GB is fine too.

Extras
DVD Writer, Wireless – essential.
Bluetooth – Nice to have

Software
If possible, I don’t even want an OS. I’m not going to be using windows, so would rather not have to pay for it.  Thing is, most vendors have to supply a Microsoft OS.   Sucks, but oh well.

At this point, the Dell Vostro 1710 is looking good.  The “best” option comes with nV GPU, and can be further customised to meet the above spec exactly.  As cool extras, it has a 1920×1200 screen, 6MB cache, nvidia gpu, biometric fingerprint reader, built in webcam and bluetooth.

Another contender is the HP 6820.  I think, however, that the Dell packs more punch.  Apart from that, HP never got back to me, so they can sit on a stick and rotate.

I would very seriously consider the HP 6830, but that’s not been released yet.  Looks awesome.

While writing this post, I came across the Dell Studio 17.  It looks decent enough, but at the time of writing I am unable to customise my own nor get a price.  I’ll have to make some calls tomorrow.

I’ll post an update in the coming days.

Tags: , , , , ,
Posted in General | No Comments »