Solved

// SURPRISE! $tmpStudent->foo = 'UNWANTED INJECTION';

Posted on 2013-12-04
6
218 Views
Last Modified: 2013-12-05
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28309697.html#a39695372


What are the ways to prevent:
// SURPRISE!
$tmpStudent->foo = 'UNWANTED INJECTION';
0
Comment
Question by:rgb192
  • 3
  • 2
6 Comments
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 39695747
There is no way to prevent that injection from occurring.  But you can simply ignore any variables that you did not declare.  And if you declare your variables to be protected, you will not get an injection because PHP will prevent it.  See line 9, 17, and 22.

Outputs:
Fatal error:  Cannot access protected property Student::$age in /public_html/RAY_temp_rgb192.php on line 17

<?php // RAY_temp_rgb192.php
error_reporting(E_ALL);
echo '<pre>';

// SEE http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28310003.html

class Student{
 private $name;
 protected $age;
 public function __construct($name,$age){
   $this->name=$name;
   $this->age=$age;
   $this->sum=$name+$age;
 }
}
$tmpStudent=new Student("Mindi","22");
echo "Age : ". $tmpStudent->age;
echo "<br>Sum:".$tmpStudent->sum;

// SURPRISE!
$tmpStudent->foo = 'UNWANTED INJECTION';
$tmpStudent->age = 33;

// SHOW THE NEWLY DAMAGED OBJECT
var_dump($tmpStudent);

// SHOW THAT THE NEWLY INJECTED "AGE" HAS NOT BEEN USED IN THE COMPUTATION OF THE "SUM"
echo "<br>Sum:".$tmpStudent->sum;

Open in new window

HTH, ~Ray
0
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 250 total points
ID: 39696121
The __set magic method can help here, because it gets called whenever this is an attempt to modify the value of a property that is either undeclared or isn't normally accessible (e.g. a private property):

<?php
class InjectionProtection
{
    private $my_private_property;
    public $my_public_property;

    public function __set($name, $value)
    {
      throw new Exception("Trying to set a private or undeclared property: {$name}");
    }
}

$obj = new InjectionProtection;

try
{
	$obj->my_public_property = "foo"; // Allowed
	echo "Successfully set my_public_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}

try
{
	$obj->my_private_property = "foo"; // Throws an exception
	echo "Successfully set my_private_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}
try
{
	$obj->my_undeclared_property = "foo"; // Throws an exception
	echo "Successfully set my_undeclared_property!\n";
}
catch(Exception $ex)
{
	echo "EXCEPTION: " . $ex->getMessage() . "\n";
}

?>

Open in new window


Should result in:
Successfully set my_public_property!
EXCEPTION: Trying to set a private or undeclared property: my_private_property
EXCEPTION: Trying to set a private or undeclared property: my_undeclared_property

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39696196
@gr8gonzo: Great call.  I had forgotten about that... Probably because I usually write my own get and set methods.  But it will definitely trap the disallowed settings.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:rgb192
ID: 39697364
I do not understand how the set magic method is being called because only a property is
being called
$obj->my_private_property = "foo";

and not a method
$obj->method();
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39697374
Here are the relevant man pages; all of them need to be understood to get the concept:

http://php.net/__callstatic
http://php.net/manual/en/language.oop5.magic.php
http://php.net/manual/en/language.oop5.overloading.php#object.set

Executive summary: It's "magic" and not part of the regular language syntax.  You can decide for yourself whether it's good or not.
0
 

Author Closing Comment

by:rgb192
ID: 39700237
And thank you for explanation of magic methods
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now