Rewriting application based on user input

Question

Thank you for reading this. I am concerned about security defenses in a web environment and I struggle a lot with input validation.

The context here is a web environment where the user types in a user name and a password, which are passed via a POST form to the file verify.php

I have the following code where I want to validate a user input before letting it into the app. But my question is : Is it possible to inject code from this user's input that would actually re-write the application itself?

skip to "REAL QUESTION HERE" if you don't have much time.

/* I have left some questions along the code in commentary, 
if you feel you can answer these it would be greatly appreciated too. */ 

All those security concepts are melting my brain.

<?php

//Only sources provided by the server are allowed?

/*is it relevant to use this because I read that
 you have to use webkits for cross-platform performences 
and that they are not supported in many cases.  */
Content-Security-Policy: 
default-src 'self';
script-src 'self';
style-src 'self';
connect-src 'self';
media-src 'self';
object-src 'self';
frame-src 'self'

//prevent javascript from accessing cookies?
//I will only use $_SESSION variables.

ini_set('session.cookie_httponly', 1 );
ini_set('session.cookie_secure', 1 );
session_start();
session_regenerate_id(); /*is it mandatory if I plan to use a generated
                         random value using strong entropy to make 
                         a login token?*/

include('functions.php');//weak point?

//for further validation use
$usernameSafe = '';
$passwordSafe = '';

//check if the values exists.
if (isset($_POST['username']) && isset($_POST['password'])) {

    //validation of user input before letting it access the app. 
    //weak point?
    if (isValidInput($_POST['username']) && isValidInput($_POST['password'])) { 

        $formUn = $_POST['username'];//weak point?
        $formPw = $_POST['password'];//here too?

    }

}


//@@@@@@@@@@@@@ REAL QUESTION HERE @@@@@@@@@@@@@@
/*BYPASS_IDEA the input could be : 

    validUserName']) || 1 == 1 ) { inject php code here } }/* 

    //1 == 1 is used to bypass the condition.

    /*two bracket to close the two 'if' statements involved
    and end the app' then also escape evrything after it 
    with a block commentary char left unclosed */


//@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
//from the php file 'functions.php'
//@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

function isValidInput($string) { 

    $isValid = FALSE;

    if ($string && is_string($string)) {

        /*can it protect against xss attack using characters
        like &lt or any coding tags? */
        if (mb_detect_encoding($string, 'UTF-8', TRUE) != FALSE  &&
        ctype_alnum($string)) {

            //Is this how buffer attacks are prevented?
            if (strlen($string) <= INPUT_LENGHT) 
                $isValid = TRUE;

        }

    }

    return $isValid;

}

?>

Ultimately, if this is possible could this be achieved at the isset() event?

Answer 1

From my experience the most important factor for preventing any kind of code injection attack (either sql, php etc...) is the sanitization of the user's data. When you receive input data sanitize them with specific rules (this could be easily achieved with the php preg_match function). In that way you can reject an input if it is considered harmful. Also, when you receive a $_GET or $_POST variable, it is not treated as code, unless you explicitly use it in that way. For example let's consider the following senario:

<?php
  if ( isset( $ _GET['view'] ) ) 
  {
    include( "viewsfolder/" . $ _GET['view'] . ".php" );
  } 
?> 

In this senario your code could be injected with harmful code. Let's say that the attacker could find a way to upload a malicious file to your server to the "viewsfolder. Then he could easily call this file and make it execute in your php code by just passing as $_GET parameter (view) the name of the file.

Another example, more harmful, could be if you were using the php eval() function which executes a string as php code. For example, you could received the user's input, concatenate it with some other code you have stored in string format, and then call it through eval() function. This could end up to a code injection.

I don't think that you will have some kind of problem if you sanitize your inputs with regular expressions in order to prevent unwanted code like ']', '}' , \' characters. Also keep in mind that you have to escape your input in order to prevent sql injections - in case you use your data with some SQL DBMS (this can also be easily done with the mysqli_real_escape_string - if you use mysqli connector - or with PDO's quote function or by using PDO prepare statements ).