MySQL - PHP で変数をサニタイズする (filter_var) (MySQL - Sanitize Variables with PHP (filter_var))

字幕表動画を再生する

creating these classes requires equipment and service.
Is that cost money?
If you appreciate this education, please think about going to Eli the computer guy dot com and offering a one time or monthly recurring donation.
Welcome back.
As you know, I am Eli the computer guy, and in today's class, I'm going to be showing you how to sanitize your variables when you're sending data from your PHP scripts to you're my sequel.
Database tables.
So again, we're going to be using an HTML form.
That HTML form is going to be handing off the variable values to a PHP script that PhD script is going to then parts.
The values turned them into PHP variables.
Plug that into a sequel statement and ship that off to the my sequel database server to insert insert records into that.
My sequel Databases Table.
Now it's important.
Understand, whenever you're dealing with security and the computer around is that you're going to have to deal with security from multiple fronts too many times when people think about security again, when it comes to technology, they have this idea of like one product or one solution secures your system, which is just foolish again for dealing with a computer or dealing with a server.
You do not simply install anti virus in your system is sick.
You're one thing does not secure the system.
You have to have antivirus.
If it's ah, client computer, you probably want some anti spam or anti malware anti spyware software on there you need to have the firewall on.
You need to have the account policies set up properly.
Plus, you just need a backup system in case something stupid happens, right?
You have multiple ways to secure either your client system for your server system.
You don't just use one product the same mystery whenever you're dealing with things like my sequel database servers again, like a lot of people, hyper focus on one specific attack in order to secure their server, and they ignore the other ways that their systems could be attacked.
And, of course, at the end of the day, when something happens, they always say, I did what I was supposed to do.
It's not my problem.
What anyone s 01 of things we did in the last classes.
We did something called a prepared statement, so prepared statement tries to prevent what Ercole sequel injection attacks.
So the idea with a sequel injection attack is that you try to escape out of the statement that PHP is sending to your my sequel server and then essentially add your own sequel statement.
So there's an or there's a statement that supposed to be sent.
You try to do something to escape out of that statement and your own statement, and then you hope into my civil database server, then read your statement and actually execute that.
So this could be a something such as deleting a table.
This could be something like adding a record to a table.
Or this could be something such as backing up the tables or database to an off site location, going off some backup.
I'm just, you know, off citing it to someplace these people don't know exist.
That's all I'm doing right?
But one of things everything about with injection attacks is beyond an injection attack again.
Where you're doing something a sequel injection or to try to manipulate the server is that you can have your users also trying to insert things, suck as tags or such as other types of code that will be triggered in different ways.
Eso one of things that I'm going to show you today is basically where we're going to use the same form we've used, like 10 times.
Now where is the name?
It's Ah, the name.
It's an egg, It's a gender, and that goes into the students table.
One of things that I'm going to show you how to do is instead of typing out a normal names like his Bob or whatever else what I'm going to actually do is I'm gonna type in a hyper link with Bomb as the name's type out the entire a ref tag.
Plug that into the normal HTML form that will then get plugged into the my sequel database servers table.
And then when we do a select statement, basically we print that out onto our Web browser screen.
You'll see that there's one particular record where the name is that will actually now be a hyper link that you can click on it right on.
So this is one of the problems you can run into, and this is where we have to think about security from all aspects of your system.
So if you have users that are going to your site and somebody does something suckers plug in a.
Oh, a hyperlink were simply a name should be.
You then may have your users quick enough hyperlink that goes to a spam site or virus site or something like that.
And then you start causing all kinds of problems.
What we're going to do today is we're going to be.
Then it's sanitizing what is called a sanitizing that variable.
So we're going to use a function called filter Underscore Bar.
So what this function does, is it actually sanitizes variables?
Cdu's filter underscore bar.
You do parentheses, you then give the variable that you want to sanitize you, then do comma, and then you give it what filter you want to basically filter.
Sanitize that variable based on so they have a filter for strings.
They have a filter for e mails.
Actually, I'm like 20 different filters, and again, this is one of those things to be thinking about is not like you.
Just do one filter against the variables.
It depends on what what type of variable you're supposed to be using.
So if it's supposed to be an email address that somebody is submitting that you could do the filter underscore bar, dollar sign, email, whatever is comma, the whatever the filter is for the email address.
And then basically, what we do is what filter will do is it'll rip out everything that isn't supposed to be in an email address.
What I'll show you today, using the string filter is basically again.
I will.
I will plug in that a ref into the form will actually see how that works is an attack.
But then, after that, I will add this filter to our normal PHP code.
And what will happen is that this filter will go through and it'll actually rip out.
All the HTML tags on will simply leave the text that is supposed to be here.
So this is what we're talking about when we're talking about sanitizing variables, and that's why it's important when you're dealing with again.
HTML forms PHP inserting or updating into my sequel a database tables.
There's no riel warning warning for today it's Maur.
This is the type of thing that you are going to have to play with.
I know, I know.
Oh, Eli, what?
You being a tech professional is supposed to play an experiment and see what happens.
Shocking.
I can't believe the advice you give sometimes, Eli, but that's related case again.
When you're going through when you're trying to sanitize the variables with the particular function that I'm showing you today filter underscore bar.
There are many different filters.
So what I would suggest is you just you create some really nasty variables and then you you play and you go out and see what the results are When you send that nasty variable through these different filters and you figure out what result works best for you, I will also say again when you're talking about doing things like a sanitizing your variable that there are other functions you can use to sanitize variables how you d'oh.
Uh, the sanity ization of your variables really depends on what results you need.
And you expect, um, again.
And that that's one of those things you can run into or it's not.
It's not that there is one way to solve any problem.
It is for your specific situation.
You figure it out again.
Do make sure you play with this on test systems.
Sanitizing variables, actually does.
Shaking the frickin very simple.
So you do it on a production system.
You're not really sure what you're doing?
You could host something up really quickly, but that's really all the warning is today is Go play with this.
See?
See what actually happens.
It see if the results are acceptable.
Try a lot of different experimentations, see what happens, and then you go from there.
So with that, let's go to the computer and I'll show you how this works.
So here we are, back in my lab environment again.
I'm using a bunch of desktop 18.4 Lt s.
But realistically, any version of a bunch of desktop should work fine for you.
I have this right in a virtual machine and virtual box.
And of course, this is running on my Mac book pro in order to create a full lamp stack here, I used a tool called Task Cell Ta s k s E l that installed the a Paki of my sequel and PHP.
I have not modified any.
The default configurations PHP dot I and I ve host all of that type of thing.
Our standard out of the box.
The only modification that I have done as I did create a PHP folder within the Apache root Directory, I guess, is a place to dump these particular PHP scripts and keep it all nice and clean.
So that's the environment that we're going to be dealing with today.
So the first thing that we need to do, of course, is we no need to go.
And we need to take a look at our my sequel database.
Make sure we know what's going on with my single database.
Eso es type in terminal, the term and no in the search box to get to the command prompt.
From here we go into my sequel space.
I've been used, uh, Bob Space Life and P for a password Password.
123456 Of course, we're using the same database we've been using for all of these things.
Projects we're gonna be using Class D B use class D be said Michael, going a class D B.
Then we go to show tables, make sure we know what tables were dealing with.
We can see here and basically a table that we're going to be dealing with is the students table.
Of course we do D E s c U to describe the students table just to make sure we know what's going on.
The students tables Colon, This will show us a student stable has a student underscore idea that is an indeterminate the primary key.
And that's an auto increment.
Basically, that's Kristen I d.
For all the different students we have named his text age is ended, your gender is text and we have a uniform feel we're not dealing with.
Today is also text we d'oh select oh, from students just to see what the records look like.
Semi colon, we can go and we can see.
And basically we've just got the standard kind of crappy down and that we should expect here, Right?
So if a student I d number 23 24 away for 38 we have a name Bob.
Susan, Patsy, Tom.
We have a nigga's.
We have genders on.
Then here we have known for the uniforms.
So this is this is what the data in this particular table should look like.
So let's go over.
Take a look at the form so This is just Mozilla Firefox.
This is up.
We've just going going to the form dot html.
So this is the HTML form we're using to submit data to the script.
And then that script will input Dad up into this particular table.
So if we go here Oh, we can just say, Let's say, Freddy, for a name we could do an age of 32 we can make Freddy be a boy.
We do a submit query.
So added Freddie 32.
Boy, I have created a little PHP script that will actually print out a select a statement to the screen.
So if I do a refresh, you go here again.
We see the same information that we see in the mice Equal database table.
That's where you can see if a record 39 we have Freddy on we have there a boy.
If you go back here again, select all from students.
We can see Freddie 32 boys.
So basically we can see all of this information is getting inputted.
We can pull this out again.
This is like a web before warm.
This is a report form.
Oregon's go back into my sequel Database Server actually do a select all for the table and see all the information there.
So let's see what this kind of insertion attack looks like and what we're trying to prevent.
So we go over to g et it, I can open this up and basically, just to make my life easier, I have created this hyper link for the name Bob.
So we can see here is a graph equals double quotation marks.
A key tp forward slash all that www dot CNN dot com clothes.
Then it will show Bob.
Then it will close the hyperlink.
And so what I can do is I can simply d'oh control, See?
So basically, I can copy this.
I can come over back to the same form that I was using before, and I could just copy and paste this lips back.
Copy paste this on And there again.
So a copy paste that in less came the eight here to 11 on Lestrange This to a girl and then we can submit query.
And so the first problem that you're going to see here is now we can see added we can see 11.
We can see girl.
But if we put our personal little cursor over this, we can now see that this is actually a link.
We go over here again.
This is just a printing out the slept statement to the screen.
I do a refresh when I can now see is that for record 40 Bob is a girl, but Bob is now a hyperlink.
See how none of these are hyperlinks is the hyperlink.
And if I click on this that it will send somebody over to CNN dot com.
No, yes, any of them to fake now, is that so horrible?
But like I say, this actually is an assertion.
And this actually works.
And so imagine.
Imagine if you have people inserting their names again into something like a forum into some some kind of system where other people are going to be looking at it.
If there is a hyperlink over their name or over some other object, you're going to get a certain number of people clicking that hyperlink.
And again, if it's a corporate environment that may be going to a virus, spyware, hacking tools, all kinds of problems.
So the way that we deal with this is that we use at the of the function of cold filter Underscore bar.
Right.
So we go over here, we take a look at the PHP form as it stands now.
So this is the form dot html.
So the form not html is this form here, right?
And so, as you can see, it's a normal form, so form action equals PHP form dot PHP.
So the information that's gathered from this form will be sent to the ph b form dot PHP.
We have a name is a text name his name.
Age is a text name is age, Gender is gender.
And then you get either nothing you get boy or girl.
And so this all gets tossed over to the pH B form, not PHP from here.
What happens is you get the post name right is turned into the PDP variable dollar side name the Post A has turned into the PHP variable dollar sign age and the post gender is turned into the variable dollar sign gender again.
So this name a gender history a fresh comes from name A and gender.
So whatever you name these fields here.
That's where you grabbed from the post.
Then pass that again.
We have no security in here.
We have no standardization so we can act to the server like we normally dio.
We create the actual connection like we normally dio.
If there's a problem with the connection, we fail like we normally d'oh!
And then simply from here we have a sequel statement that says Intern, insert into student's name, age, gender and you have values name, aid and gender, right?
So basically, if it's text in your my sequel database and you submit taxed, and then it's simply going to be inserted if that text is just the name or if that Texas A full hyper Laker, who the hell knows what else?
It will just get inserted again.
You can have Java script get inserted.
You have all kinds of stuff.
Get in certain, right and then, from here, basically connection.
Query.
If this is actually true, if the if the sequel statement actually runs the data, the record is created.
Then it simply prints out what was added.
So the name, the age and the gender, if not errors and connection closes.
So basically, what you can see here is this literally just takes whatever the hell comes in from the HTML form.
So if it's text, it just grabs that text turns into a variable, and then it inserts it into my Siegel database and nobody asks any questions.
So what we want to do is we want to grab this little thing here, so we're gonna be control.
See, you're gonna go back to appear before, and we're going on this here too.
Then a Santa ties are variable s.
So here we have dollar sign names, a dollar that sign name equals whatever comes in from the post named name.
So we're gonna do here is we're just going to the increasing say that the value of name we're going to give it a new value we're going to do is we're going to use this function.
So filter underscore bar, and then we're gonna do is dollar sign name.
So basically, dollar sign name as it is, we'll get put into dysfunction.
Then we do comma and then we add the filter filter underscore sanitize string.
So this is the particular filter that we're going to be using again.
There are lots of different filters out there for this particular function to go down here.
Let's take a look at safari.
You're PHP manual for filters.
You have this sanitised filters and you could see that there are a lot of different filters here.
So filter underscore, Sanitized for email, sanitized for encoded for quotes for a number.
Float for a integers for special characters for the string.
So that's what we're gonna be doing.
Sanitized, strip sanitized for U.
R l s.
Oh, there are a lot of these different filters, and basically, what you do is you just sanitize based off of what you're looking for.
So if you want to make sure that only an email will go in, you can filter based off of an email again what we're doing today.
If you want a filter for a just a string again, what this does is strips, tags, optionally strip or encode special characters.
And this is one of us again.
Like I say, that you've got to, like, play around with and see what works best for you.
Let's go back so name equals filter of our open parentheses.
We then just feed theory journal variable.
So this is what's going to come in.
We're going to sanitize the screens stream.
Yes, the string running on closed parentheses.
And then, of course, it's PHP.
So we're gonna do the cynical we're now going to do safe.
We can.
Then now that it's safe, we can then go back.
Let's say here what we're gonna do is we're just gonna put Tim.
So we see that this is a different record.
If we will change, 10 to 22 will change him to a boy you will now submit.
So now you can see Tim here that the html that hyper like has been stripped out.
Now all we see is the normal name, Tim.
We go to this little select report that I created before us.
He couldn't see that Bob was a hyper like, If I do a refresh, we can see the new record is created, and it's simply has the name Tim on.
And there's no hyperlink there.
We then go to our my sequel database on Actually, take a look at the table, make sure nothing stupid was put into the table against, like all from students in the inner.
And again we can see that Tim was only at so all this a ref here that you have for Bob that was all ripped out.
All that was left is the name the text string that you actually wanted so on and so forth.
And this is what you can see is without that standardization, you could see that the entire, that entire HTML attack.
That whole thing went to the database and actually got inserted s.
So that's what we're talking about.
We're talking about sanitizing strings, and again, this is using the filter underscore bar function.
There are other ways to sanitize strings, but especially when you're playing around and your new this filter underscore of our function.
I think it's very useful because again, it has a lot of different filters that you can use some things that you can play around with.
So if nothing else, this is a good place to start.
So there you go.
Now you know how to sanitize variables using the filter underscore of our function again, there are other functions out there.
There are other ways you can sanitize variables, how you sanitize and what you need to dio really depends upon your particular situation again it is important to understand whenever you're dealing with something like a my sequel server is that there are multiple vectors for attack.
There's multiple, different ways to try to compromise the system.
Some ways it's a sequel injection Attack were literally trying to compromise the sequel server and get the sequel server Do something like back up to an off site location.
Other ways is again, you know, you think about if you're going to be building some kind of like public CR M solution, So you're gonna be building a new WordPress.
We're gonna be building a new group or something like that, being able to filter our people's ability to create hyperlinks and things like the name of box or whatever could be a very valuable thing.
This was a big issue that I saw, like 10 years ago, when when forums were really big, right when social media was completely new, when everybody was trying to become the next Facebook, you saw a lot of public forums and get deployed, frankly, using some some pretty crappy code to get things accomplished.
And one of the issues that you saw is that literally people were inserting.
They were uncertain.
I just aged amount, but they're inserting Java script.
Basically, they were inserting all kinds of crap into the fields that would actually get recorded in my secret database tables.
And then whenever somebody printed out a screen in a report and that those tags those scripts were called, those scripts would then run.
And then you will get viruses and then you get mad aware.
Then you get pop ups and you get all kinds of nasty stuff.
And this is one of those things to be thinking about.
Did did the hacker really compromise the My sequel server?
Know that my sequel server itself is still secure?
It's your users getting compromised, right?
And this is We have to think about those different tack vectors and then figure out how you're going to try to solve for again.
This is also why it's very important.
If you're going to be creating things like Web applications that again are gonna be public facing, they're gonna be Internet facing.
This is why it's very important to do a lot of testing.
Find one of your fine one of her friends that's like the biggest A whole, you know, those wannabe hackers out there, you know?
Wanna be hackers?
Like find your friend that wants people want to be hacker and sit them down in front of your app and see, See what they can actually accomplish again.
Many times you sit there and you know you're you're apple.
Have 10 different possible vulnerabilities.
You'll you'll lock down nine of them.
And you just didn't realize something like somebody could literally insert something like a Java script straight into your my single database table on and then that will fire every time somebody goes and that that's actually pulled S o.
These are some of the things that think about it again.
That's why it's important to sit down, get multiple different friends, get multiple different people, actually, hammer the hell out of your Web application.
You may be surprised what vulnerability is there that again?
You just weren't thinking about your your your your certain persecutor.
My surfer is secure again.
That's how it goes.
So anyways, uh, as always, I enjoyed doing this this class forcing the next Apparently the type of content you just saw is not what Susan W.
Wants for the future of YouTube This means that recommendations by YouTube to this channel have dropped massively, and views are becoming a comically small I hate to ask.
I used to say I would never ask, but if you could subscribe like common and most importantly, share the videos that you appreciate, that may help slow the death of this channel.
Do you remember that?
If anything at all happens to this channel, you can go to Eli, the computer guy dot com, to view the content and access information not available on YouTube.