0

I have this question regarding security of posted data to my app. I have a code where I catch all the $_POST and $_GET data from client and put them into object's array. This object is then passed to functions where I need to access certain type of data (GETS, POSTS, SESSIONS, some configs, etc ...).

I catch all the posts and gets with this part of the code:

foreach ($_GET as $key => $value)   // STORE $_GET VALUES
        {
            $this->_get[$key] = $value;
        }

        foreach ($_POST as $key => $value)  // STORE $_POST VALUES
        {
            $this->_post[$key]  = $value;
        }

        foreach ($_SESSION as $key => $value)   // STORE $_SESSION VALUES
        {
            $this->_session[$key] = $value;
        }

        $this->_config = $config;

        unset($config); // CLEAR $CONFIG VALUES 

        unset($_GET, $_POST /*, $_SESSION */ ); // CLEAR $_GET, $_POST FOR SECURITY ISSUES

At the end of that app file, I then reverse $this->_session back to $_SESSION, like this: 

foreach ($in->_session as $key => $value)   // STORE $_SESSION VALUES
    {
        $_SESSION[$key] = $value;
    }

How can I escape or do something else with GETS and POSTS so they can be "safely" used across application. Sometimes I am using this gets to access database, or write data to database, but I am not sure if its safe.

Any suggestion?

  • Look like you need to escape db injections and xss injections, I would recommend to sterilize the values before you store them in the object, for sql use the build in sql escape function and for the XSS you will have to find the function that is most relevant to you – talsibony May 13 '15 at 08:41
  • WHY are you doing things like this ? There are so many problems (both known and probable) with this approach that I don't know where to start. – thomasb May 13 '15 at 08:53
  • @cosmo0: because I want to pass all needed data, weather it is post, get, session, or config setting through one object, and simply use what I need, where I need. But if there is better solution to achieve this, i will use ti. –  May 13 '15 at 09:00
  • Well, the very concept of "passing everything to a single object" is called a "big ball of mud" and is not a good design. I think you'd better rethink your architecture, but without seeing more of your code, I can't really help you (and it's off-topic for SO). – thomasb May 13 '15 at 09:07
  • Well, I just didn't want to call $_GET() everywhere I need it, or $_SESSION, and i didnt want to make my object accepting 3 params each time i need $_GET, $_SESSION and $config, so I thought if I create object with those varsi included, I can simply pass one argument, and separate it where i need to. That was my main objection. and then I could call needed param simply like this $obj->_config["keyword"]. So for instance when i call different controllers they get the data they need right away. I just grab those from that object. I thought that would make my code shorter and less complicated. –  May 13 '15 at 11:36
  • maybe i am wrong and i am open to different solutions. I just don't know any ... so if you can point me out to some article or tutorial i would be grateful. I always try to learn hot to do things "the right way" or "best way". –  May 13 '15 at 11:38
  • 1
    Related if not duplicate: [What's the best method for sanitizing user input with PHP?](http://stackoverflow.com/q/129677/53114) – Gumbo May 13 '15 at 21:24

2 Answers2

0

You will want to escape the values before you store them in your object, I am not sure why you want to unset the original variables, but in case you do that I would recommend to store their original values in other obj for debugging purposes

foreach ($_GET as $key => $value)   // STORE $_GET VALUES
        {
            $this->_get[$key] = $this->escape($value);
        }

...

private function escape($value){
// ... here you will have to escape the xss or sql injections
 return $escapedValue;

}

here is nice to read artical about security

PHP Security Cheat Sheet

talsibony
  • 8,448
  • 6
  • 47
  • 46
0

I recommend you filter and sanitize your values from $_POST and $_GET before storing them as objects

check out the documentation and sanitize filters

Kxng Kombian
  • 467
  • 4
  • 13