PHP Classes

I'm sorry, but this script is useless.

Recommend this page to a friend!

      PHProtector  >  All threads  >  I'm sorry, but this script is useless.  >  (Un) Subscribe thread alerts  
Subject:I'm sorry, but this script is useless.
Summary:Package rating comment
Messages:6
Author:Thiemo Kreuz
Date:2010-04-06 07:49:55
Update:2010-04-07 10:58:41
 

Thiemo Kreuz rated this package as follows:

Utility: Bad
Consistency: Insufficient
Documentation: Bad
Examples: Bad

  1. I'm sorry, but this script is useless.   Reply   Report abuse  
Picture of Thiemo Kreuz Thiemo Kreuz - 2010-04-06 07:49:55
I'm sorry, but this script is useless. It is a simple bad word filter. It simply blocks all requests with a word that is considered bad by the script. The bad words list includes "user", "show", "select", "version" and a lot more very common words and even double dashes "--" and the hash mark "#". If you use this script in your weblog or forum many posts will be blocked for no reason. It's forbidden to ask "Where did you come from?" for example. The script calls you an attacker because you used the word "where". Again, I'm sorry but it's a bad idea to use regular expressions to detect SQL injections. Use mysql_real_escape_string().

  2. Re: I'm sorry, but this script is useless.   Reply   Report abuse  
Picture of Thiemo Kreuz Thiemo Kreuz - 2010-04-06 08:00:57 - In reply to message 1 from Thiemo Kreuz
Another reason why I rated the script so bad are the regular expressions. The patterns are very slow because they cause a lot of unnecessary back tracking (partly caused by the ".*" in front of each word).

  3. Re: I'm sorry, but this script is useless.   Reply   Report abuse  
Picture of Hugo Sousa Hugo Sousa - 2010-04-06 12:46:26 - In reply to message 1 from Thiemo Kreuz
Thank you Thiemo for the feedback. You refer the fact that the word filtering is too restrictive, and i have to give you reason in that point. This script is runing from about 1 year in many Portuguese Enterprise sites that i have developed in the past, until now many sql injection atacks where blocked by this script. The reason this filter is too restrictive is simple, english words were not normal in this type of sites.
You refer that is bad ideia to use regular expressions to detect Sql injection but the function that you refer (mysql_real_escape_string()) is easily bypassed, there are lots of examples that will easily bypass that filter.
About the fact that the regex pattern check is slow i will investigate, but i havent notice any slowness problems in sites by using this script.
I will try to fix this issues in a next release to make the script more usable in generic sites.

  4. Re: I'm sorry, but this script is useless.   Reply   Report abuse  
Picture of Thiemo Kreuz Thiemo Kreuz - 2010-04-06 19:08:25 - In reply to message 3 from Hugo Sousa
Blocking all requests that contain "--" or "#" somewhere is independent from the language. An other example is a forum where the users want to talk about SQL statements.

It's true that not all security vulnerabilities can be fixed by simply adding mysql_real_escape_string(). However, it's not true that mysql_real_escape_string() can be bypassed.

In this example a SQL injection is possible:

mysql_query("SELECT * FROM table WHERE id = " . $id);

Adding mysql_real_escape_string() does not fix the security vulnerability:

mysql_query("SELECT * FROM table WHERE id = " . mysql_real_escape_string($id));

Adding single quotes fixes the security vulnerability:

mysql_query("SELECT * FROM table WHERE id = '" . mysql_real_escape_string($id) . "'");

Again, using bad word filters is always a bad idea, no matter how sophisticated the filter is. If you fix your security vulnerabilities in the first place you don't need any filter.

  5. Re: I'm sorry, but this script is useless.   Reply   Report abuse  
Picture of Hugo Sousa Hugo Sousa - 2010-04-06 21:57:28 - In reply to message 4 from Thiemo Kreuz
I think your are missing the point of this class. The second query is a very good example, where you use mysql_real_escape_string() incorrectly with an integer, and is vunerable with Sql Injection. By far the majority of PHP developers whould think that code was safe. Bad code is the real problem here, this type of atack is not a new one...

I really have no doubt that if your code is 100% correct the whole ideia of filters is just useless, but in the real world people make mistakes.
This class want to add that extra layer of security to some code that could be not perfect from the security point of view.

About the ideia of filtering being a bad ideia, i think it really depends where this script is used (i think you shown that when you talked about foruns). Like i said in the other post to other user, the routine for Sql Injection could work in a diferent way for GET and POSTS. Comparing GET vars with filters and escaping POSTS (making sure that integer POST vars start with "id" to be checked if are integers really).

  6. Re: I'm sorry, but this script is useless.   Reply   Report abuse  
Picture of Thiemo Kreuz Thiemo Kreuz - 2010-04-07 10:58:41 - In reply to message 5 from Hugo Sousa
The point of all filters is to hide security vulnerabilities instead of really fixing them.

The main problem with your implementation is that it causes a *lot* of false positives. Regular visitors are blamed "attackers". If you want to pay something, for example, you should really care about this.