I would like to be sure, that I didn’t use $_POST or $_GET in a way an attacker could make use of (XSS-Attacks, SQL-Injections). To find all lines where I used $_GET or $_POST I used this command:
egrep "_GET|_POST" -r -i MyFolder > dangerousUse.txt
dangerousUse.txt has 439 lines. If I search like this:
egrep "\$_GET|\$_POST" -r -i MyFolder > dangerousUse.txt
dangerousUse.txt has 0 lines. If I search like this:
egrep "_GET\[|_POST\[" -r -i MyFolder > dangerousUse.txt
dangerousUse.txt has 385 lines. I think this is the number I want, but I would like the $-sign to get matched, too.
My first question is: Why doesn’t the second egrep-command work?
Now I am sure, that the input is used correct if one of the following commands have been applied:
mysql_real_escape_string(htmlspecialchars($input))ormysql_real_escape_string ( htmlspecialchars ( $input ) )or other combinations with whitespaces.intval($input)isset($input)$input ==or== $input
How can I find only those lines, where $_POST or $_GET are used without these functions? It would also be okay to delete the lines in dangerousUse.txt, where these functions are applied to each $_POST or $_GET in this line.
edit:
egrep '\$_GET\[|\$_POST\[' -r -i MyFolder > dangerousUse.txt
works, thanks to VGE for the first part of the answer. Now dangerousUse.txt has 385 lines. But the second one is more important for me.
for the second part, egrep -v inverts matches:
egrep '(isset|intval|mysql_real_escape_string\(htmlspecialchars|md5|datum_anpassen)[\w]*\(\$_' -i -v dangerousUse.txt > dangerousUse2.txt
Shell double-quotes requires a double escaping.
Exemple
echo "\$"will print ‘$’But
echo "\\$"will print ‘\$’And ‘$’ is the end of line regex marker and is the shell variable prefix.
The following patterns will work fines
The latest is the simpler because shell does not perform variable interpolation inside single-quote and there is no escaping.
Probably one method to insure that you check all you input is to define a
sanitized_GETand asanitized_POSTfunction which perform all the stuff.