Articles

Taking the Best Measure to Fortifying Your Scripts

July 16, 2010 • By

No matter how hard we try, we always seem to forget to secure certain aspects of our scripts, whether be it an input field or data being inserted into a database. It would definitely be nice to fall back on security precautions that we implement into our scripts whether or not we have sanitized everything needed. Here are some tips and coding styles to achieve just that.

The Solution

The difference this solution can make is massive depending on how large the script is. We generally know that the larger or more complicated the script is the more we will miss on securing things. Using a precautionary solution enables us to have automatically patched many things we may have forgotten to sanitize or secure.

For example, forms provide a way for users to provide data for input into your database or other storage methods. We know that forms are the general cause of security flaws in many scripts that fail to have properly sanitized input due to ignorance or the cause of forgetting to do so. Another common missed aspect is forgetting to sanitize superglobals such as $_POST, $_REQUEST, $_GET, and others.

Furthermore, developing a solution that performs the sanitization and takes security measures for us is an excellent fall back as it could do the patching work for us in many situations, which provides us the time to create a permanent fix.

Which Scripts Benefit the Most?

Many scripts we create may be too small to bother developing a fallback component, as it may be larger than the script itself. Thus, it will definitely be a waste of time to do so. However, if you are developing a fairly large system, whether hitting the mainstream or not, spending the time to develop a fallback component will definitely be worthwhile, especially if the system being developed handles transactions or is built around user inputted data.

If your script happens to fall in the too small to bother category, you can still take certain precautionary measures while developing it. These precautionary measures include frequently testing your work as you go along for security flaws and going over your work multiple times. These measures should also be taken in any sized project, as checking your work is always a great thing to do.

Creating These Solutions

Creating a fallback component depends on your needs and expectations of how it should function. It can be a complex solution and can automatically detect the input type and sanitize accordingly, or it can be a simple solution implementing a standard sanitization or security method throughout. You should remember that these fallback solutions create temporary security patches to certain security flaws until you can get in and create a permanent patch, thus, you should not rely on this component as your only means of sanitization and security.

When creating these solutions, creating classes is generally a good idea as they act as an interface handler for each of your solutions. In order to better understand and grip this idea I will briefly walk through a simple form handler class that takes a default sanitization method throughout.

Let us dive right in to the way this form handler class was structured and the way it functions. This class was designed to replace creating your own forms with its own infrastructure to assure that the form is handled securely. However, this class lacks auto detection of deciding what security measures to take based on the user inputted data, nevertheless, it does take basic security precautions to assure that the data being handled is not abrasive.

Examples and Best Practices

Let us look at one of its methods, the text area handler:

...
//begin a foreach to grab 'em values
foreach($array as $key => $value)
{
//begin the switch case to identify the values
switch($key)
{
Case 'name':
$name = $value;
Break;

Case 'class':
$class = $value;
Break;

Case 'id':
$id = $value;
Break;

Case 'value':
$i_value = $sanatize->specialTrim($value);
Break;

Case 'required':
$required = $value;
Break;

Case 'label':
$label = $value;
Break;

Case 'hint':
$hint = $value;
Break;
}
...

As you may have noticed, it automatically sanitized the user-inputted value, it is simple, however effective. In the code snippet above, it is running a check on all the possible fields available for a textarea box; this is designed to assure that unwanted fields are filtered out.

Another key aspect to this form handler class is the way it handles some of the superglobals mentioned earlier:

public function post($parameter)
{
$cleanup = @$this->stripBreak($parameter);
$post = @$_POST[$cleanup];
return $post;
}

/******
* @method public
* @return $_REQUEST
* @param string the $_REQUEST param which is sanatized
* This handles the $_REQUEST variable which also sanatizes its value
*/

public function request($parameter)
{
$cleanup = @$this->stripTags($parameter);
(Visited 25 times, 1 visits today)