Security Staff?

tensh	#1 2009-06-18 14:24
Contributors Thanked: 12 times	Hi; Is there a membergroup in Cotonti responsible only for security (mainly plugins security)? For example, I'd like to write some plugins soon (I have the "awards system" plugin in mind, for my site's needs, but I'd like to contribute here as well), but I'm a beginner in coding and so I would need security check for my code.

Kilandor	#2 2009-06-18 19:28
Administrators Thanked: 9 times	There isn't, but if you want you can post your code. There are 2 things to worry about when coding. 1. SQL Injections 2. Malicious HTML/JS Injections The first is simple to combat - SQL Injections This can happened by using unfiltered data that can come from a user (POST/GET) into a SQL query 1. sed_import any variables either from post/get 2. In the query if you have an integer place (int) before the var ex. (int)$id, this cannot be in quotes directly 3. Anything else that's not an integer IF it comes from a possible user input should be ran through sed_sql_prep() ex sed_sql_prep($text), if you know the data is secure coming from something internal and can't be changed, then you can skip using it, but if your unsure, it never hurts to use it anyways. The Second - HTML/JS Injections This can happen by not filtering user input thats placed directly into HTML 1. sed_import any variables either from post/get 2. before outputting any data into html (such as out through echo, or tags) run it through sed_cc ex sed_cc($text) If you follow those it should be just fine, but when your done you can post it up and i'm sure somone would likely check it for you.

Kilandor

#2 2009-06-18 19:28

Administrators
Thanked: 9 times

There isn't, but if you want you can post your code.

There are 2 things to worry about when coding.

1. SQL Injections
2. Malicious HTML/JS Injections

The first is simple to combat - SQL Injections
This can happened by using unfiltered data that can come from a user (POST/GET) into a SQL query

1. sed_import any variables either from post/get
2. In the query if you have an integer place (int) before the var ex. (int)$id, this cannot be in quotes directly
3. Anything else that's not an integer IF it comes from a possible user input should be ran through sed_sql_prep() ex sed_sql_prep($text), if you know the data is secure coming from something internal and can't be changed, then you can skip using it, but if your unsure, it never hurts to use it anyways.

The Second - HTML/JS Injections
This can happen by not filtering user input thats placed directly into HTML

1. sed_import any variables either from post/get
2. before outputting any data into html (such as out through echo, or tags) run it through sed_cc
ex sed_cc($text)

If you follow those it should be just fine, but when your done you can post it up and i'm sure somone would likely check it for you.

tensh	#3 2009-06-18 20:23
Contributors Thanked: 12 times	Hmm... in this case maybe check the shop plugin for Cotonti? (Supplied in Plugins) ... I'm also interested in it, I have an impression that it's not well-guarded (no sed-imports, no POST validation...). Correct me if I'm wrong!

Kilandor	#4 2009-06-19 06:52
Administrators Thanked: 9 times	Without a doubt there are plenty of unsecure plugins out there. But in some cases but it really depends on how its being used, sed_import is not required. Its really not required at all but a recomended security/saftey mesausre.