There are a lot of XOOPS modules or PHP applications with SQL Injection still.
Protector can protect some patterns of SQL Injections.
It is just "some" instead of "all".
That's because Protector cannot distinguish attacks and fair requests just by REQUEST layer.
A word of "UNION" will be posted as "UNI-ON".
Such modification in REQUEST layer must be non-sense.
Then, Protector should judge them by both REQUEST layer and DB layer.
anti-XSS:
(a) doubtful requests are found
(b) ob_start()
(c) compare requests and outputs
SQL Injection:
(1) doubtful requests are found
(2) override DB layer
(3) compare requests and SQLs
It is not easy to implement (3) because Protector have to parse SQLs.
However, (2) will be the most problem for XOOPS.
Because there are no way to override DB layer.
I will suggest DB layer modification can be overridden for all core teams in the next entry.
This idea is based on JM2. (four years ago!)
He is the real hero for XOOPS
serialize()/unserialize()
var_export()/eval()
A) security
You may feel it is dangerous to use eval().
Of course, you should not unserialize requested text.
However, you cannot use unserialize() for requested text also.
B) speed
A script for verification.
#!/usr/local/bin/(php-cli binaries)
<?php
function getmicrotime()
{
list($usec, $sec) = explode(" ",microtime());
return ((float)$sec + (float)$usec);
}
function var_import( $data ) {
eval( '$ret='.$data.';' ) ;
return $ret ;
}
$data = ( big array ) ;
$time_start = getmicrotime();
for( $i = 0 ; $i < $_SERVER['argv'][1] ; $i ++ ) {
$serialized_data = serialize( $data ) ;
$restored_data = unserialize( $serialized_data ) ;
$serialized_data = var_export( $data , true ) ;
$restored_data = var_import( $serialized_data ) ;
}
$time_end = getmicrotime() ;
echo $time_end - $time_start , "sec. \n" ;
?>
We always use 'serialize()' as a built-in function to serialize arrays/objects.
But, the format made by serialize() is hard to use for multibyte environments.
This procedure:
serialize() -> encoding translation -> unserialize()
(your_encoding) -> UTF-8 -> (your_encoding)
array(
'index' => 'value' ,
)
I'm writing a CGI to install/update XOOPS cores/modules.
It means you will be free from "uploading/overwriting massive files via ftp" or "chmod some directories before installing".
There are too many shared web servers like:
PHP: apache module (run as apache/nobody)
CGI: suExec (run as the file's owner)
Such users must be lucky
But, I don't write the CGI by perl but bash, because perl can cause some errors depending on modules/environments.
These are Tips/Problems to write CGI by bash.
- echo HTTP response headers
Without HTTP headers, the CGI returns 500 error
- how to get requests
GET variables: parse $QUERY_STRING
POST variables: parse <stdin>
This is a sample of the parser.
query="$QUERY_STRING&"
until [ -z "$query" ] ; do
k_v=${query%%&*}
query=${query#*&}
key=${k_v%%=*}
value=${k_v#*=}
done
I've supervised a translation of "Ajax Security" into Japanese.
original:
"Ajax Security"
Addison-Wesley
Billy Hoffman & Bryan Sullivan
This news has no values to be written in English, sorry.