Dear all,
I'm building a website in MODX EVO 1.0.8 that needs to create/update some custom db tables, based on user input and I wish to be extra cautious to avoid any security issues. I'm not an expert in security measures and after some research I got a bit concerned about how I should proceed.
- Example code follows:
1. Retrieving user input
$parameters = $_GET['p'];
$parametersArray = explode("!",$parameters);
2. Inserting new rows I use something like the following:
$documentArray['name']=$parametersArray[0];
$documentArray['status']=$parametersArray[1];
$queryCreateRecord = $modx->db->insert( $documentArray,'modx_record' );
3. Updating an existing row I use something like the following:
$documentArray['id']= $modx->getLoginUserID();
$documentArray['status']= $parametersArray[1];
$table = $modx->getFullTableName( 'record' );
$queryUpdateRecord= $modx->db->update( 'status= "' .$documentArray['status']. '"', $table, 'id = "' .$documentArray['id']. '"' );
4. Selecting the rows from the db I use something like the following:
$table = $modx->getFullTableName("record");
$db_query = $modx->db->select("*", $table, "status='".$documentArray['status']."'");
if ($modx->db->getRecordCount($db_query) > 0) {
while ($rowC = $modx->db->getRow($db_queryC)) {
$id=$row['id'];
}
}
- Questions follow:
Is all the above safe or
1. should I use some user input sanitization function?
2. should I use prepared statements to avoid sql injection?
3. is there anything that I'm missing and poses a security threat in the way I handle the input and the db?
4. is there a chance that modx does the above security tasks in the background so I shouldn't worry?
Thank you all in advance, any contribution is deeply appreciated.
Here is how I deal with GET/POST:
$var = mysql_real_escape_string(strip_tags($_GET['var']));
The API:
$var = $modx->db->escape(strip_tags($_GET['var']));
http://rtfm.modx.com/evolution/1.0/developers-guide/api-reference/dbapi/escape
If you are running a global script (e.g. PDF) and want it to respect
web user permissions
see this:
https://forums.modx.com/thread/24611/pdf-export?page=3#dis-post-125964
http://sottwell.pogwatch.com/modx-security.html
In REVO the code is more protected behind an xPDO layer and there is great API Documentation.
In EVO The old wiki is still a gold mine:
http://wiki.modxcms.com/index.php/DB_query_and_Placeholders
http://wiki.modxcms.com/index.php/API:DBAPI
http://wiki.modxcms.com/index.php/Creating_Snippets
BUT even if you make use of API calls that doesn't guarantee security!
Running eForm on your website? Consider using this:
<?php
if ( ! function_exists( 'eformPreventXSS' ) )
{
function eformPreventXSS( &$fields )
{
global $modx;
$success = TRUE;
foreach( $fields as $name => $value )
{
$stripped = strip_tags( $value );
// If there was embedded PHP/HTML/XML etc. then not successful
// However, proceed to clean all the fields anyway.
if ( $stripped != $value )
{
$success = FALSE;
}
switch ( $name )
{
case 'email':
case 'vericode':
// Just strip tags. No need to escape.
$fields[ $name ] = $stripped;
break;
default:
$fields[ $name ] = htmlspecialchars( $stripped, ENT_QUOTES, $modx->config['modx_charset'] );
}
}
return $success;
}
}
?>
Name snippet
eformPreventXSS
And call your eForm:
[!eformPreventXSS!]
[!eForm? &eFormOnBeforeMailSent=`eformPreventXSS` ...
I also highly recommend adding this to the .htaccess file in the assets folder:
<FilesMatch "\.(php|tpl)$">
Order allow,deny
Deny from all
</FilesMatch>
This will protect you when uploading extras.
mrhaw thanks for the reply,
very useful information and a place to start from,
any advise on how to prevent session hijacking?
» Force your client to login using SSL - HTTPS
/manager/index.php:
<?php
if($_SERVER["HTTPS"] != "on") {
header('Location: https://website.com/manager/');
exit();
}
» Restrict the manager to IP
https://forums.modx.com/thread/45029/restrict-manager-by-ip-addresses-without-breaking-captcha#dis-post-463882
» In manager settings make sure
Validate HTTP_REFERER headers? is
YES
»
UPGRADE YOUR MODX!
Since 1.0.8
Security:
--------------------------------------------
* [#9933] insideManager - security fix
* [#10180] ForgotManagerPassword - Improvement reset url
* [#9704] LFI in mutate_settings.ajax.php
* [#9802] Security feature - Check falsification of system files
* [#3796] MODx security issues
* [#8338] LFI in browser.php
* [#8339] LFI in install
* [#9621] SQL-injection in logEvent
* [#471] Show custom error page if mysql is down
* [#9624] Add .htaccess into assets/cache/
https://raw.github.com/modxcms/evolution/v1.0.12/install/changelog.txt
»
+ KEEP BACKUP OF FILES AND DATABASE!
//This Ditto Tagging XSS fix never made it's way (if you are using tagging)
https://forums.modx.com/thread/42791/removing-tags-variable-from-reflect-url#dis-post-247387
[ed. note: mrhaw last edited this post 11 years, 2 months ago.]