0

EDIT:

For anyone wondering how I achieved it in the end, I realized I should stop being an idiot and instead I now take the user input and import it into the keychain. From the import it pulls the fingerprint which is used for signing in future.

SEE: http://php.net/manual/en/ref.gnupg.php

If its not working for you, make sure php/nginx/apache have permissions to the folder where your keys are stored. (/home/you/.gnupg)

On our website we are accepting PGP public keys in order to encrypt emails to the user, up until now we hadn't bothered with escaping as its still in closed beta.

Obviously as we are inserting it into a database we don't want to leave any vulnerabilities open, but how can I escape it while maintaining the integrity of the key?

Example public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQGNBFQPofkBDAC7+1uvxtEwEzaRk9Ef+z7Ja74BxjpiSPZH9yC7Xdhp1l9RjhHz
fhOOcY+WphLijudEFFUkKpoK3/Q8DH7qfP3wnlKDxZbZMkpVyDS8ZQo05rqAI8wy
Ra8dmPQOKYirfHXoTccRh2AUfeIYH+6Cm8j8PRFbCXWO8ibyysawFvudyuY1GRmn
8/q2a9NTLmFOjRY4R4W3ly8Ix2JRQcBDfmJYlUO8q0aMb8mRtyNWqT72sr9SmFIX
3QE3XtCYygPMG0/xn2rEA/7MH7n28M0rTcj3nECwv978RFossmxt4MsqCuqxQzNL
LYn8ckL9EIcsvL0tFNQeFUfP+pwB1PV2TbsrTuYECtRXH2uGQOITRoPnvdD1cW7W
YsyQ2ws+D9YlKQ4SFtfMHPo/6BrPt8BLcuo8kjlqSPH+KCrOxfC6WTCfdGY2JcMF
+LVjrtrCVhZOq+E7p0wv/DI8D4NP4jDb7t0JOOWbQXjYH8cUcKPcI5wgdkoeL4BH
hOI4rEX+1/morIMAEQEAAbQwV2lsbGlhbSBEdW5uZSAoTWltZXggRlMgTFREKSA8
d2lsbGlhbUBtaW1leC5uZXQ+iQG5BBMBAgAjBQJUD6H5AhsDBwsJCAcDAgEGFQgC
CQoLBBYCAwECHgECF4AACgkQXGTM66ZI00+QOQv9GgAppfDTgutFflMqewIdgLga
+aE+8EFRA8IEtwy1Cu9vKjKGjA05uUk0uJJR3LGkrPAKbHI6uISPR6DbpwrFxf8R
/JNPOGwMgSDN83RY+0n5sbYZOEu7Npkw2g5zyBj66weeiCk2ozm3UdKPj6u+AP8Q
iz5cnzu3AbJH5l5kcfkkdZSNIjdXdjff7I3NUXC91/CXjo4DYBUdHyD5v0JRBSoq
ZS8BzXw0TBWXSMiB4iD2m1nXgFWt6i95Yho/QB1Gy1dOWL6u8MvSvMDrA1JKJtZT
T7cCAGYmS4Rpz7PKFH0mntNEm5fW6yUMnfT+PqB7fhdJh2mLscCHnu6Z5pUhQJRw
lGrzWnLMFdWqozgiNU0bKu942pLWN8fSF4HUEEld+krpl6NUJNDtCjBW72ssXl4j
Av9Y9VfDhKBKTyeq3gJZEJ0WIS6Wkxu/CqnCUTiXMsy+yxEvlINM3F34isowCiFy
FL1x3xFnKNhYLoaqKuhy06WTE0KrruCpUxvw+rwVuQGNBFQPofkBDACeldHZBjjH
vfKi1xYIsr7JZ/AUfIU55QAJyVV0eVmI8BkGjfQtxSYsjMUx9ioieN3H9ILjhuya
slgLk7OKDVfpg8U0S2qmJCsM1oU7EWVJr2h3lMw0wwmGcgkMvfIkNvZxsylSak1o
60aiFEomrnQx+grb8L12MIUbsSpTmcGM/3B+V8/xxmBtprhl3Re+sRc2HAKNXpZY
Tzx+IfUMckEov9T9ZJzx1Fh9SoUwNqCDoV8PCJSzhqQ4GMdP7Xy9fGz1a+NMdJW0
seuupIt8MxO9Mj1Sek0Pxqg2EIepULz5u/h+l8yttOvVF6OZZJjEQOjlsMFQ2FJb
BLNdYXRVeVcPWu/5tHX3zj4/4Kz6dSxWM3xMjIOD1xSdwrKZeP/wGyE8VVRST7pq
IJjKnGfT7tTv9sg6cxDyygGnbys720AOrXNT9GXsSQckALKCU1wBIUn5jLPU1ldp
VsWkkzzacOBHdWB8CJ6MArmEgdQ5s/fpinXkRSkRDuC7SvQx2yvy9QsAEQEAAYkB
nwQYAQIACQUCVA+h+QIbDAAKCRBcZMzrpkjTT/nqC/93Hy0qcElo3+urbqKxzlf/
e/28uOWTgGmX5bba5bpZAdh/0o5yHSB+yaVeSKUdUPgT18ft9Vlwmy8GPLgapyb6
3h6+7hOIrPd9BApI2aNAM+QmB98o47s0pUujJ8CPAVYKXaIuLMFuAUhT2kmL4C8C
JeyS7Z5+MzT3BHR+hJBQE+5nKsEVbd6pysk5Bz6rPFi17cjmDnB/tc84beAlL7jb
mAEEIdNr93xERYZC0eln72oEIwvJaG/45oxeJu9egDqeGJZ0r77AnmGe8AUcw2Wa
AXiHSV49OVFoPuC+iCXr4Ff/pNmS4UACoobqITdN+OZobaCmLPIivnGaWBci4NEU
AfWJ/GnqIeRCCHQ7Z3A+BmkiHy87g17dYkN9kRyyGFLrAGa/UJahXQN/IyiQcjGT
C/o9CCB5A9eZ8XYwTryiNPWfc6vL8UUs/ROVpBGK8WDmgnQblyQ21e6sdsN/LXs8
Z/rBQvdw18Dh8Ig//LeFINmpDtHX7EIg3k/Qdph7pHE=
=mi2n
-----END PGP PUBLIC KEY BLOCK-----
William Dunne
  • 21
  • 4
  • it's just text, which means it's a string. stuff it into a text/varchar field, like you would any other text. If you're worried about charset mangling, then use a blob field instead. And then read: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Marc B Oct 02 '14 at 18:20
  • 1
    It's already "escaped" into Base64, isn't it? Just plug it into your query parameter and you'll be all set. – Ed Gibbs Oct 02 '14 at 18:20
  • I meant that as its being taken from the user via a form, and automatically added to a DB surely it needs to be escape to prevent any SQL injection vulnerabilities, does it not? – William Dunne Oct 02 '14 at 18:22
  • 1
    use PDO/Mysqli and bind the value. No escaping needed. – Jonathan Kuhn Oct 02 '14 at 18:22
  • 1
    Have you considered actually validating the PGP cert that is provided? By doing this, you not only ensure that you have a safe string for insertion, but also a valid key. – Mike Brant Oct 02 '14 at 18:24
  • Escaping params is uneccessary today. Use either Mysqli or PDO, with parameterized queries and your queries are safe without any elaborate escaping routines. – JimL Oct 02 '14 at 18:25
  • Good idea Mike, do you know how I would go about that? There is very little information on it. – William Dunne Oct 02 '14 at 18:26

1 Answers1

0

If you parameterize, then you don't have to worry about escaping at all.

$pgp = file_get_contents('mykey.pgp');

$dbh = new PDO($connstr,$username,$password);

if( ! $stmt = $dbh->prepare('INSERT INTO mytable (pgpkey) VALUES (?)') ) {
    die($dbh->errorInfo());
}
if( ! $stmt->execute(array($pgp)) ) {
    die($stmt->errorInfo();
}
echo 'great success.'

That said, there are no single quotes contained in the key, so you shouldn't have to worry about escaping it, so long as you've validated the input. As @mike-brant put it in the comments:

Have you considered actually validating the PGP cert that is provided? By doing this, you not only ensure that you have a safe string for insertion, but also a valid key.

Sammitch
  • 30,782
  • 7
  • 50
  • 77