Subscribe via RSS

Finding Code Online

Usable Code, That You Can Trust


December 25th, 2007 last updated December 25th, 2007

The internet is a great repository of data, between google and wikipedia and countless other sources, if you look hard enough, you can find just about anything you can possibly imagine. But that's the problem, having to look, often very hard, and never really knowing if what you've found is really quality stuff.

Case and point, today I was looking for a data input sanitizer because I want to improve the functionality of the blog with comments and a couple of other tricks, but of course first you need to sanitize your input. I could (and at this rate probably will) write my own sanitizing script, and I'm pretty sure I could make it fairly secure, but why do all that, and run the risk of having a security hole, if you can find something that does it for you online? So I try some google searches: 'php input sanitizer', 'php form protection' 'free php form protection', etc. After a little digging I find a few promising looking sites and scripts, though not much. Even what I do find that looks promising, I have no way of knowing if it's trustworthy or not, do I?

There seem to be a couple problems with how solutions to very common programming problems are presented on the internet:

  • No Way To Verify The Source: This is where google's idea that more links equals more trustworthy breaks down. There are plenty of small sites and unknown programmers (I'd like to think I fall in this list) who are very good at what they do and provide quality code. while a massive website serves up mass amounts of toxic waste and pretends it's usable, and that site will continue to get more traffic and more people using their code than the underdogs who can actually program.
  • No Clear Definition of The Problem: Most programmers / web developers realize they need to protect their product from malicious attacks. For instance, most people will wrap all their database input in mysql_real_escape_string() and be proud of themselves for ensuring that their database can no longer be hacked. And while it's true that function at the very least drastically reduces the possibility that their database will be compromised, they don't think of other possible exploits, such as inserting malicious javascript into a comment or a cookie-stealing iframe into a url. There's no standardized set of operations that must be done to safely execute a certain operation (say image uploading). If there was a website that was dedicated to listing all possible exploits and recommending the best way to deal with them, that would be a one stop location to check any script you find against. And as ingenuity as hackers are, there aren't many new tricks to discover - while I'm sure they'll keep on finding security holes, they become more and more obscure, time-consuming, and less likely to work with every additional layer of security. The only way, after all, to guarantee you're safe from hackers is to make sure it's not worth their time to attack you.
  • No Clear Definition of The Solution Very few scripts go through and outright list the problems they address, and how they solve them. Most basically say 'trust me, this code really does work, and work well'. And the code normally does work (they wouldn't upload it if it didn't) which makes it all the worse when it's not secure. It's really straightforward to go online and find a 'Contact Us' form, for instance, which will allow people to contact you, so it looks like the script works. But then someone who actually knows what they're doing (read: a hacker) comes along and modifies the 'to:' parameter in the POST header and BAM, they've got a mail system they can use to send emails to anyone and everyone they want.
    Take for instance This Site* which presents what looks to be a fairly secure image uploader (though it only allows jpeg). However not only does it put too much faith in the FILES array, trusting it over internal PHP functions such as getimagesize(), it also (I believe, I haven't tested it myself) would be susceptible to a fairly simple attack where a text file with some malicious code is uploaded with a header that reports the file is an image. The header tells the server that the file is an image, but once saved and loaded in a browser, the script in the file itself executes. See what I mean about not being able to tell if a piece of code is actually secure?
  • Unreadable Code: I'll often find myself reading code that someone's put online, and I have to struggle to understand what it's doing, and why. This is of course a problem with any and all code, not just online scripts, but it's especially important when you're trying to prove to the public that your code is actually trustworthy. If I think something is possibly well thought ought, I'll take the time to try and decipher it, but no matter what, if I can't, I'm not going to use it. That's part of the reason I normally end up writing my own code anyways - I absolutely must understand what it's doing, and why.

I'm probably going to come back and add to / edit this later on, but in the meanwhile if you have any thoughts of your own regarding sharing and downloading code off the internet, share your thoughts and I'll put them in the blog too.

*Just for the record, I have nothing against this site, I simply did a search for 'php secure image uploader' and picked this one at random to analyze. If I am misrepresenting or slandering this article in any way, please let me know, and I'll be happy to modify the blog.

New Comment

Name:*
Email:*
Website:
Title:*
Comment:*
 
Your email address will never be displayed or shared. Your comment will appear once approved.