OWASP - User contributions [en]

Projects/OWASP PHP Security Project/Roadmap

2013-07-29T16:57:52Z

Abhishek Das:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> [[Phpsec/Secure Database Library|Secure Database Library]]</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> [[Phpsec/HTTP Request Handling Library|HTTP Request Handling Library]]</li>
<li> [[HTTP Response Handling Library]]</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> [[Secure Application Configuration and State Library]]</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> [[Time and Randomness Management Library]]</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> [[Basic Password Management Library]]</li>
<li> [[Advanced Password Management Library]]</li>
</ul>
<BR>

Phpsec/HTTP Request Handling Library

2013-07-29T16:57:34Z

Abhishek Das: Created page with "<h4>Introduction</h4> HTTP Request is user input. Many developers forget this fact and tend to rely on it as a trustworthy source and configure many aspects of their applicat..."

<h4>Introduction</h4>

HTTP Request is user input. Many developers forget this fact and tend to rely on it as a trustworthy source and configure many aspects of their applications based on values of <code>$_SERVER</code> (most of which are set using HTTP request). While not all values under <code>$_SERVER</code> are unreliable, some of the values such as 'QUERY_STRING', 'HTTP_REFERRER' etc are entirely arbitrary information sent by the client. This library provides wrappers which securely process these data and hand them to user, and replaces the <code>$_SERVER</code> values that are insecure with objects that throw exceptions when cast to string (e.g. in HTTP_HOST), so that developers can no longer directly access them.

Phpsec/Secure Database Library

2013-07-29T16:40:51Z

Abhishek Das: Created page with "<h4>Introduction</h4> This library is compatible with PHP PDO, but doesn't allow insecure operations (such as concatenation of values in any form) with it. We have enforced p..."

<h4>Introduction</h4>

This library is compatible with PHP PDO, but doesn't allow insecure operations (such as concatenation of values in any form) with it. We have enforced prepared statements for all data that is to be sent to the database engine, and will enforce whitelisting (via taint tracking) of all SQL parameters (such as limit and order by) where prepared data are not supported by the back-end engine.
A base library provides all these features abstracted from database engines, and derived libraries for each common database engine.

<h4>Usage</h4>

<ul>
<li>
Include the required database adapter wrapper class. For example, in case of PDO_MYSQL<br><br>
<code>

require ('phpsec/libs/db/adapter/pdo_mysql.php');
<br><br>
</code>
</li>
<li>Set up a database connection<br><br>
<code>

$a = new \phpsec\Database_pdo_mysql ('DATABASE_NAME', 'DATABASE_USER', 'DATABASE_PASSWORD');
<br><br>
</code>
</li>
<li>In case you already have a connection made, you can pass the object directly to the constructor<br><br>
<code>

$pdo = new \PDO ("mysql:dbname=DATABASE_NAME;host=localhost;",'DATABASE_USER','DATABASE_PASSWORD');<br>
$a = new \phpsec\Database_pdo_mysql ($pdo);
<br><br>
</code>
</li>
<li>Execute queries. Parameters can be passed as arrays or expanded lists.<br><br>
<code>

$b = $a->SQL("SELECT * FROM users WHERE username = ? AND dob = ?", "abc", "09/10/1991");<br>
$b = $a->SQL("SELECT * FROM users WHERE username = ? AND dob = ?", array("abc","09/10/1991"));<br>
$b = $a->SQL("SELECT * FROM users WHERE username = :username AND dob = :dob", array(':username' => 'abc',':dob' => '09/10/1991'));<br>
<br>
</code>
</li>
</ul>
<h4>Files</h4>

<h5>adapter/base.php</h5>

<h6>DatabaseConfig class</h6>

A single wrapper object for all database configuration options. Easier to pass around a single object to functions than an expanded list.

<h6>DatabaseModel class</h6>

Parent class for all database wrapper classes. Provides most of the PDO compatible interface functions.

<h6>DatabaseStatementModel class</h6>

Parent class for all database prepared statements. Contains methods to actually perform queries and fetch data.

<h5>adapter/pdo_mysql.php</h5>

<h6>Database_pdo_mysql class</h6>

PDO_MySQL wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_mysql</h6>

PDO_MySQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>adapter/pdo_pgsql.php</h5>

<h6>Database_pdo_pgsql class</h6>

PDO_PostgreSQL wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_pgsql</h6>

PDO_PostgreSQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>adapter/pdo_sqlite.php</h5>

<h6>Database_pdo_sqlite class</h6>

PDO_SQLite wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_sqlite class</h6>

PDO_SQLite prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>dbmanager.php</h5>

<h6>DatabaseManager class</h6>

This is not being used at the moment. It might be needed later for when the set of libraries would be incorporated in a framework. Leaving it for legacy purposes.

HTTP Request Handling Library

2013-07-28T16:36:31Z

Abhishek Das:

HTTP Request Handling Library

2013-07-28T16:33:41Z

<h4>Introduction</h4>

HTTP Request is user input. Many developers forget this fact and tend to rely on it as a trustworthy source and configure many aspects of their applications based on values of $_SERVER (most of which are set using HTTP request). While not all values under $_SERVER are unreliable, some of the values such as ‘QUERY_STRING’, ‘HTTP_REFERRER’ etc are entirely arbitrary information sent by the client. This library provides wrappers which securely process these data and hand them to user, and replaces the $_SERVER values that are insecure with objects that throw exceptions when cast to string (e.g. in HTTP_HOST), so that developers can no longer directly access them.

Secure Database Library

2013-07-28T16:32:13Z

Abhishek Das:

Secure Database Library

2013-07-28T08:09:06Z

Abhishek Das:

<h4>Introduction</h4>

This library is compatible with PHP PDO, but doesn't allow insecure operations (such as concatenation of values in any form) with it. We have enforced prepared statements for all data that is to be sent to the database engine, and will enforce whitelisting (via taint tracking) of all SQL parameters (such as limit and order by) where prepared data are not supported by the back-end engine.
A base library provides all these features abstracted from database engines, and derived libraries for each common database engine.

<h4>Usage</h4>

<ul>
<li>
Include the required database adapter wrapper class. For example, in case of PDO_MYSQL<br><br>
<code>

require ('phpsec/libs/db/adapter/pdo_mysql.php');
<br><br>
</code>
</li>
<li>Set up a database connection<br><br>
<code>

$a = new \phpsec\Database_pdo_mysql ('DATABASE_NAME', 'DATABASE_USER', 'DATABASE_PASSWORD');
<br><br>
</code>
</li>
<li>In case you already have a connection made, you can pass the object directly to the constructor<br><br>
<code>

$pdo = new \PDO ("mysql:dbname=DATABASE_NAME;host=localhost;",'DATABASE_USER','DATABASE_PASSWORD');<br>
$a = new \phpsec\Database_pdo_mysql ($pdo);
<br><br>
</code>
</li>
<li>Execute queries. Parameters can be passed as arrays or expanded lists.<br><br>
<code>

$b = $a->SQL("SELECT * FROM users WHERE username = ? AND dob = ?", "abc", "09/10/1991");<br>
$b = $a->SQL("SELECT * FROM users WHERE username = ? AND dob = ?", array("abc","09/10/1991"));<br>
$b = $a->SQL("SELECT * FROM users WHERE username = :username AND dob = :dob", array(':username' => 'abc',':dob' => '09/10/1991'));<br>
<br>
</code>
</li>

<h4>Files</h4>

<h5>adapter/base.php</h5>

<h6>DatabaseConfig class</h6>

A single wrapper object for all database configuration options. Easier to pass around a single object to functions than an expanded list.

<h6>DatabaseModel class</h6>

Parent class for all database wrapper classes. Provides most of the PDO compatible interface functions.

<h6>DatabaseStatementModel class</h6>

Parent class for all database prepared statements. Contains methods to actually perform queries and fetch data.

<h5>adapter/pdo_mysql.php</h5>

<h6>Database_pdo_mysql class</h6>

PDO_MySQL wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_mysql</h6>

PDO_MySQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>adapter/pdo_pgsql.php</h5>

<h6>Database_pdo_pgsql class</h6>

PDO_PostgreSQL wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_pgsql</h6>

PDO_PostgreSQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>adapter/pdo_sqlite.php</h5>

<h6>Database_pdo_sqlite class</h6>

PDO_SQLite wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_sqlite class</h6>

PDO_SQLite prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>dbmanager.php</h5>

<h6>DatabaseManager class</h6>

This is not being used at the moment. It might be needed later for when the set of libraries would be incorporated in a framework. Leaving it for legacy purposes.

Secure Database Library

2013-07-28T08:07:22Z

Abhishek Das:

<h4>Introduction</h4>

This library is compatible with PHP PDO, but doesn't allow insecure operations (such as concatenation of values in any form) with it. We have enforced prepared statements for all data that is to be sent to the database engine, and will enforce whitelisting (via taint tracking) of all SQL parameters (such as limit and order by) where prepared data are not supported by the back-end engine.
A base library provides all these features abstracted from database engines, and derived libraries for each common databas engine.

<h4>Usage</h4>

<ul>
<li>
Include the required database adapter wrapper class. For example, in case of PDO_MYSQL<br><br>
<code>

require ('phpsec/libs/db/adapter/pdo_mysql.php');
<br><br>
</code>
</li>
<li>Set up a database connection<br><br>
<code>

$a = new \phpsec\Database_pdo_mysql ('DATABASE_NAME', 'DATABASE_USER', 'DATABASE_PASSWORD');
<br><br>
</code>
</li>
<li>In case you already have a connection made, you can pass the object directly to the constructor<br><br>
<code>

$pdo = new \PDO ("mysql:dbname=DATABASE_NAME;host=localhost;",'DATABASE_USER','DATABASE_PASSWORD');<br>
$a = new \phpsec\Database_pdo_mysql ($pdo);
<br><br>
</code>
</li>
<li>Execute queries. Parameters can be passed as arrays or expanded lists.<br><br>
<code>

$b = $a->SQL("SELECT * FROM users WHERE username = ? AND dob = ?", "abc", "09/10/1991");<br>
$b = $a->SQL("SELECT * FROM users WHERE username = ? AND dob = ?", array("abc","09/10/1991"));<br>
$b = $a->SQL("SELECT * FROM users WHERE username = :username AND dob = :dob", array(':username' => 'abc',':dob' => '09/10/1991'));<br>
<br>
</code>
</li>

<h4>Files</h4>

<h5>adapter/base.php</h5>

<h6>DatabaseConfig class</h6>

A single wrapper object for all database configuration options. Easier to pass around a single object to functions than an expanded list.

<h6>DatabaseModel class</h6>

Parent class for all database wrapper classes. Provides most of the PDO compatible interface functions.

<h6>DatabaseStatementModel class</h6>

Parent class for all database prepared statements. Contains methods to actually perform queries and fetch data.

<h5>adapter/pdo_mysql.php</h5>

<h6>Database_pdo_mysql class</h6>

PDO_MySQL wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_mysql</h6>

PDO_MySQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>adapter/pdo_pgsql.php</h5>

<h6>Database_pdo_pgsql class</h6>

PDO_PostgreSQL wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_pgsql</h6>

PDO_PostgreSQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>adapter/pdo_sqlite.php</h5>

<h6>Database_pdo_sqlite class</h6>

PDO_SQLite wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_sqlite class</h6>

PDO_SQLite prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>dbmanager.php</h5>

<h6>DatabaseManager class</h6>

This is not being used at the moment. It might be needed later for when the set of libraries would be incorporated in a framework. Leaving it for legacy purposes.

Secure Database Library

2013-07-28T07:48:23Z

Abhishek Das: First draft of Secure DB library wiki

<h4>Introduction</h4>

This library is compatible with PHP PDO, but doesn't allow insecure operations (such as concatenation of values in any form) with it. We have enforced prepared statements for all data that is to be sent to the database engine, and will enforce whitelisting (via taint tracking) of all SQL parameters (such as limit and order by) where prepared data are not supported by the back-end engine.
A base library provides all these features abstracted from database engines, and derived libraries for each common databas engine.

<h4>Usage</h4>

<ul>
<li>
Include the required database adapter wrapper class. For example, in case of PDO_MYSQL
{{{
require ('phpsec/libs/db/adapter/pdo_mysql.php');
}}}
</li>
<li>Set up a database connection
{{{
$a = new \phpsec\Database_pdo_mysql ('DATABASE_NAME', 'DATABASE_USER', 'DATABASE_PASSWORD');
}}}
</li>
<li>In case you already have a connection made, you can pass the object directly to the constructor
{{{
$pdo = new \PDO ("mysql:dbname=DATABASE_NAME;host=localhost;",'DATABASE_USER','DATABASE_PASSWORD');
$a = new \phpsec\Database_pdo_mysql ($pdo);
}}}
</li>
<li>Execute queries. Parameters can be passed as arrays or expanded lists.
{{{
$b = $a->SQL("SELECT * FROM users WHERE username = ? AND dob = ?", "abc", "09/10/1991");
$b = $a->SQL("SELECT * FROM users WHERE username = ? AND dob = ?", array("abc","09/10/1991"));
$b = $a->SQL("SELECT * FROM users WHERE username = :username AND dob = :dob", array(':username' => 'abc',':dob' => '09/10/1991'));
}}}
</li>

<h4>Files</h4>

<h5>adapter/base.php</h5>

<h6>DatabaseConfig class</h6>

A single wrapper object for all database configuration options. Easier to pass around a single object to functions than an expanded list.

<h6>DatabaseModel class</h6>

Parent class for all database wrapper classes. Provides most of the PDO compatible interface functions.

<h6>DatabaseStatementModel class</h6>

Parent class for all database prepared statements. Contains methods to actually perform queries and fetch data.

<h5>adapter/pdo_mysql.php</h5>

<h6>Database_pdo_mysql class</h6>

PDO_MySQL wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_mysql</h6>

PDO_MySQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>adapter/pdo_pgsql.php</h5>

<h6>Database_pdo_pgsql class</h6>

PDO_PostgreSQL wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_pgsql</h6>

PDO_PostgreSQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>adapter/pdo_sqlite.php</h5>

<h6>Database_pdo_sqlite class</h6>

PDO_SQLite wrapper class. Extends the DatabaseModel class.

<h6>DatabaseStatement_pdo_sqlite class</h6>

PDO_SQLite prepared statement wrapper class. Extends the DatabaseStatementModel class.

<h5>dbmanager.php</h5>

<h6>DatabaseManager class</h6>

This is not being used at the moment. It might be needed later for when the set of libraries would be incorporated in a framework. Leaving it for legacy purposes.

Projects/OWASP PHP Security Project/Roadmap

2013-07-28T07:35:14Z

Abhishek Das:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> [[Secure Database Library]]</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> [[HTTP Request Handling Library]]</li>
<li> [[HTTP Response Handling Library]]</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> [[Secure Application Configuration and State Library]]</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> [[Time and Randomness Management Library]]</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> [[Basic Password Management Library]]</li>
<li> [[Advanced Password Management Library]]</li>
</ul>
<BR>