It is currently Tue Sep 19, 2017 10:32 pm

All times are UTC




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Does clonefish protect against SQL injection, etc?
PostPosted: Thu Aug 28, 2008 2:38 pm 
Offline

Joined: Thu Aug 28, 2008 2:38 pm
Posts: 6
As title really....

Does clonefish protect against SQL injection, etc?

Thanks
Dan


Top
 Profile  
 
 Post subject:
PostPosted: Fri Aug 29, 2008 11:08 am 
Offline
Site Admin

Joined: Thu Jan 19, 2006 2:38 pm
Posts: 105
Sure! One of its strengthness is the double validation process, which not only protects your application on the client side using JavaScript, but also on the server side with PHP.

Though most beginners forgot about the quote handling issues during the development of their first applications, Clonefish enforces to keep an eye on it. Every single method that deals with setting or getting values of the input elements (<code>$form->getValues()</code> or <code>$element->setvalue()</code> for example) has a parameter where you have to set whether the value needs to be escaped. It may be as easy as passing <code>get_magic_qutoes_gpc()</code> here in case you're processing <code>$_POST</code> data.

This method ensures, that Clonefish will always hold clean (unescaped) information. When using the getter() methods, you can also decide to omit or use escaping: when sending eg. emails from such data, you generally don't need escaping, when inserting to database, you do.

During form generation, Clonefish takes care of HTML escaping too: the getHTML() method of every element type encodes the value into proper HTML. Even if the value is some kind of tag, or has quotes in it, it will be properly encoded as <code>&amp;quot;</code> and so on.

Please take some time to read the "Features" section in the documentation, where you'll find an overview of the methods in Clonefish regarding security.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Sep 03, 2008 9:04 pm 
Offline

Joined: Thu Aug 28, 2008 2:38 pm
Posts: 6
Thanks for the detailed reply. It resulted in a sale. :)


Top
 Profile  
 
 Post subject:
PostPosted: Wed Sep 03, 2008 9:34 pm 
Offline
Site Admin

Joined: Thu Jan 19, 2006 2:38 pm
Posts: 105
Thanks for the purchase! :) We hope you'll be satisfied - feel free to contact us whenever you run into problems or need some help!


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 05, 2008 5:36 pm 
Offline

Joined: Thu Aug 28, 2008 2:38 pm
Posts: 6
clonefish wrote:
Thanks for the purchase! :) We hope you'll be satisfied - feel free to contact us whenever you run into problems or need some help!


Ironically, I've now hit an issue. I've got an issue where clonefish is not properly escaping a single quote ('), and therefore the database is getting in a huff when I try to run a query using the output below:

$form->getValue('content', get_magic_quotes_gpc())

content contains text and HTML. There are a few that's in the text which it is complaining about.

Ideas?
Dan


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 05, 2008 6:07 pm 
Offline
Site Admin

Joined: Thu Jan 19, 2006 2:38 pm
Posts: 105
Actually, adding and also getting values using <code>get_magic_quotes_gpc()</code> as the second parameter makes only sense when you want Clonefish to be transparent regarding quotes - this method won't solve database injection issues, it just gives you back values the same way.

To insert data securely in a database you should work out your own way in your application or framework. Most of the time such a solution is like this:

- set the form values using <code>setValues( get_magic_quotes_gpc() )</code>, when data comes from $_POST/$_GET (it's a portable and safe solution), but use <code>setValues( false )</code> when you pre-fill a form from eg. a database record (which is unescaped)
- get the form values using <code>getValues( true )</code> everytime when you want the data to be inserted in a database using handwritten SQL. If you want to send eg. an e-mail containing form values, use <code>getValues( false )</code>, since you don't need quote escaping in an email.

An alternative method to insert into database is to use some database layer like AdoDB or PEAR:DB. They can create the SQL statement based on the table name and the array containing the values. However, you'll also have to "synchronize" the quote settings with these classes too: if you use <code>getValues( false )</code> for Clonefish, you'll have to tell the classes that data needs to be escaped, if you use <code>getValues( true )</code>, you'll need to avoid re-escaping the data.

If you still can't solve the issue, feel free to post your code in e-mail!


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 05, 2008 6:25 pm 
Offline

Joined: Thu Aug 28, 2008 2:38 pm
Posts: 6
Ah, right. The confusion was not knowing if the <code>get_magic_quotes_gpc()</code> of <code>getValue('content', get_magic_quotes_gpc())</code> was a boolean or not. So basically use

get_magic_quotes_gpc() as the 2nd parameter for the portable solution
true as the 2nd parameter to force the DB safe version
false as the 2nd parameter to force an unquoted version, e.g. for email

I deal with injection by using regular expressions to validate all of my input before I do anything with it. Hence why I needed the pro version to make validation quicker and easier.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group