View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 1045 | Composr documentation | General / Uncategorised | public | 2013-02-20 04:14 | 2014-12-02 18:08 |
| Reporter | Duck | Assigned To | Chris Graham | ||
| Priority | @10@ | Severity | feature | ||
| Status | resolved | Resolution | fixed | ||
| Summary | 1045: Coding security in Composr | ||||
| Description | A good tutorial on how to Validate and Sanitize using any built in Composr libraries would be good. | ||||
| Tags | No tags attached. | ||||
| Attach Tags | |||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Adding to v10 docs... Sanitising input is almost trivial in Composr. Just use the most appropriate reader function and Composr will then apply appropriate checking/filtering for you. Reader functions include: - [tt]get_param[/tt] -- reading in a string from GET (i.e. the URL) - [tt]get_param_integer[/tt] -- reading in an integer from GET (i.e. the URL) - [tt]post_param[/tt] -- reading in a string from POST (i.e. a form) - [tt]post_param_integer[/tt] -- reading in an integer from POST (i.e. a form) We also some separate security functions for preventing things like filesystem attacks, or basic conformance checking: - [tt]filter_naughty[/tt] -- make sure no file paths are in something that will be used as a path component - [tt]filter_naughty_harsh[/tt] -- make sure something is strictly alphanumeric - [tt]is_alphanumeric[/tt] -- an alphanumeric test that doesn't result in bail-out if failed - [tt]is_valid_email_address[/tt] -- an e-mail address validity check (valid syntax, does not check if it is real, although [tt]is_mail_bounced[/tt] can help find if an e-mail address has bounced in the past) For database queries (i.e. to avoid SQL injection) use the simplified database APIs wherever appropriate, [tt]query_select[/tt] for example. To avoid XSS attacks ensure you use the correct logical escaping in the templates. For example, plain text used in an HTML context would be escaping like [tt]{EXAMPLE*}[/tt] (i.e. with the asterisk). CSRF attacks are already avoided via a form token system and referral checking system. (some of this is specific to v10) (note v10 has a default 'kid gloves mode' so newbie devs are less likely to make a security hole) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-02-26 18:29 | Chris Graham | Category | General => General / Uncategorised |
