0

Let's pretend that you had the task of creating a URL (e.g. a single web page) which receives input (e.g. GET and/or POST) and must clean and safely store that input to a database. In addition, it must be easy to send data to that URL from nearly any application, regardless of the language it's written in.

How would you get this task accomplished in a safe manner?

(I'm thinking of the Pit of Success, as opposed to easily throwing together a PHP script which leaves me wide open to SQL injection.)

EDIT: I've changed the title and some keywords in response to some answers. I was posting this question as a discussion of security and safety for those who may be new to web dev. I am not talking about securing all levels to a paranoid extent, just ensuring minimum security in the handling of user input. The answers I envisioned, in addition to security discussions, would be examples of code which accomplishes the stated task. I will provide my own answer (in PHP) as an example of what I mean.

Also, I am hoping this will become a community wiki.

Pat
  • 16,515
  • 15
  • 95
  • 114
  • Do you know what the input is? Random bits? Text? html? Btw, XSS only becomes a problem when you extract the data again. – Øyvind Skaar Nov 17 '10 at 22:48
  • Well, since this would be a public URL, no, I don't know what the input is. I would expect it to be text or maybe numbers, but the point of the question is how should the code be written to accept any possible input and not let it exploit any known (or anticipated) vulnerabilities. (I removed the XSS part because, as you say, it isn't relevant for storage.) – Pat Nov 17 '10 at 23:14

3 Answers3

0

Well, security can mean lots of different things. There's in transit (SSL), at rest (database and, potentially, file system encryption), and even when reviewing the information posted (XSS and others).

Now, please just don't use a GET request to have data passed into your system. That isn't what GET is for, it is supposed to be used to GET a resource. Hence it's name. POST, on the other hand, well, POSTs data to your system.

The simplest way is to simply accept a regular POST. Every web language and quite a few others can do this.

The site should utilize SSL to make sure the data is encrypted on it's way to you. You should use parameterized queries (at the very least) to protect against SQL injection. And you should scrub the data of any non-allowable characters. Next encrypt the data prior to storage. Incidentally, go ahead and have the connection between your web server and database server encrypted. And, for the really paranoid, encrypt the entire file system the database is running on.

All said and done, it shouldn't take you more than a couple hours to put this together; depending on, of course, what it takes for you to get SSL installed on your server and the facilities your server environment offers for the other items.

NotMe
  • 87,343
  • 27
  • 171
  • 245
0

There is never a quick way to accomplish something which also needs to be secure.

The main part of the hard work is understanding, not implementing.

It also heavily depends on the kind of data. For example, credit card information or american social dingsbums numbers fall under certain laws and must be stored securely within in the database, passwords must be salted and hashed so not even DB Admins can retrieve the user's personal password again etc etc. It's not only a matter of securing the technical transport layers, but also the data itself.

Does "secure" also mean that the data you retrieve "from nearly all applications" can be trusted in any way? If app1 is sending data, but disguises as app2 - is that insecure? How do you identify the system/person where the data originated? IPs can be spoofed, reverse DNS can be manipulated, etc.

mhaller
  • 14,122
  • 1
  • 42
  • 61
  • For the case in question, I assume that the source of the data does not matter (i.e. it would be a public URL), so it cannot be trusted at all. – Pat Nov 17 '10 at 22:20
0

As promised, here is an example of taking input and storing it in a mysql database in what I believe is a secure manner (at least, it is supposed to prevent SQL injection problems). Please correct me if I am wrong. (Note, the only input is from the msg variable, which could be from GET, POST, or a cookie.)

<?php
try {
    $db = new PDO('mysql:host=$hostUri;dbname=$dbName', $user, $pass, array(
        PDO::ATTR_PERSISTENT => true
    ));
    $s = $db->prepare("INSERT INTO $dbName.$tableName (message) VALUES (:msg)");
    $dbData = array(':msg' => $_REQUEST['msg']);
    $s->execute($dbData);
    print "Added to database";
} catch (PDOException $e) {
    // Sensitive information can be displayed if this exception isn't handled
    //print "Error!: " . $e->getMessage() . "<br/>";
    die("PDO error");
}
?>

More information on PDO in PHP.

This code could be called by simply including the variable in the URL (e.g. http://example.com/?msg=MyMessage) or by code (example below is in C#, thanks to this answer).

using (var client = new System.Net.WebClient())
{
    byte[] response = client.UploadValues(
        "http://example.com/", 
        new System.Collections.Specialized.NameValueCollection { { "msg", "MyMessage" }});
    Console.WriteLine(System.Text.Encoding.UTF8.GetString(response));
}
Community
  • 1
  • 1
Pat
  • 16,515
  • 15
  • 95
  • 114