20.6.08

Tainted Data PHP Functions

[Summary]
This file describe the sources from which tainted data can be imported.
An conservative approach is taken. Everything that retrieves data from
a source outside PHP, such as the file system or a database, is considered
tainted. Notice that this should be adaptable within the tool.

[Language constructs]
Predefined variables:
$_SERVER $_SESSION
$_GET $_REQUEST
$_POST $_FILES
$_COOKIE

[Internal functions]
Most functions only return tainted data if the parameter given contains tainted data.
* base64_decode | Returns decoded string, could contain tainted data
* base_convert | Returns decoded string with letters if toBase is high enough
* basename | Returns a part of a filename.
* bzread | Returns a string coming from a bz compressed file handle
* chr | Returns the string-representation of the ASCII-number. Could be dangerous if a lot are concatted
* convert_cyr_string | Returns string in cyr-encoding
* current | Returns the current element of an array
* dba_nextkey | Returns the next key in a database
* dns_get_record | Fetch DNS Resource Records associated with a hostname
* end | Returns last element of an array
* extract | Import variables into the current symbol table from an array
* fdf_get_attachment | Extracts an uploaded file from a FDF document
* fdf_open | Opens an FDF document
* fdf_open_string | Opens an FDF-file
* fdf_save_string | Returns the FDF document as a string
* fgetc | Get one character from a file pointer. Could be dangerous if a lot are concatted
* fgetcsv | Gets line from file pointer and parse for CSV fields
* fgets | Gets line from file pointer
* fgetss | Gets line from file pointer and strip HTML tags
* file | Reads entire file into an array
* file_get_contents | Reads entire file into a string
* fopen | Opens a file, binds a resource
* fread | Returns a string of a file read
* func_get_arg | Return an item from the argument list
* func_get_args | Returns an array comprising a function's argument list
* get_browser | Returns info about the browser, using USER_AGENT
* get_headers | Fetches all the headers sent by the server in response to a HTTP request
* get_meta_tags | Extracts all meta tag content attributes from a file and returns an array
* getallheaders | Fetch all HTTP request headers
* getenv | Gets the value of an environment variable, some come from the user
* getopt | Gets options from the command line argument list
* gettext | Lookup a message in the current domain
* gzdeflate | Deflate a string
* gzfile | Read gz-file into an array
* gzgetss | Get a line from a gz-file and strip HTML-tags
* gzopen | Opens a gz-file
* gzread | Reads a gz-file
* headers_list | Returns a list of response headers sent (or ready to send)
* hebrev | Convert logical Hebrew text to visual text
* hebrevc | Same as Hebrev, with newline conversion
* highlight_string | Highlights a string
* html_entity_decode | Convert all HTML entities to their applicable characters
* ibase_blob_import | Create blob, copy file in it, and close it
* iconv | Convert string to requested character encoding
* id3_get_tag | Get all information stored in ID3-tags
* imap_base64 | Decode BASE64 encoded text
* imap_bodystruct | Read the structure of a specified body section of a specific message
* imap_fetchbody | Fetch a particular section of the body of the message
* imap_fetchheader | Returns header for a message
* imap_fetchstructure | Read the structure of a particular message
* imap_headerinfo | Read the header of the message
* imap_headers | Returns headers for all messages in a mailbox
* imap_mime_header_decode | Decode MIME header elements
* implode | Join array elements with a string
* imap_utf8 | Converts MIME-encoded text to UTF-8
* import_request_variables | Import GET/POST/Cookie variables into the global scope
* ircg_nickname_unescape | Decodes encoded nickname
* join | Alias of implode
* ldap_get_values | Get all values from a result entry
* mb_decode_mimeheader | Decode string in MIME header field
* mb_parse_str | Parse GET/POST/COOKIE data and set global variable
* mcrypt_decrypt | Decrypts crypttext with given parameters
* mdecrypt_generic | Decrypt data
* msession_get | Get value from session
* msession_get_array | Get array of msession variables
* msession_get_data | Get data session unstructured data
* msg_receive | Receive a message from a message queue
* ngettext | Plural version of gettext
* ob_get_contents | Return the contents of the output buffer
* ob_get_flush | Flush the output buffer, return it as a string and turn off output buffering
* parse_ini_file | Parse a configuration file
* parse_str | Parses the string into variables
* parse_url | Parse a URL and return its components
* parsekit_compile_string | Compile a string of PHP code and return the resulting op array
* pfpro_process_raw | Process a raw transaction with Payflow Pro
* pfsockopen | Open persistent Internet or Unix domain socket connection
* pg_copy_to | Copy a table to an array
* pg_fetch_all | Fetches all rows from a result as an array
* pg_fetch_array | Fetch a row as an array
* pg_fetch_assoc | Fetch a row as an associative array
* pg_fetch_result | Returns values from a result resource
* pg_fetch_row | Get a row as an enumerated array
* rawurldecode | Decode URL-encoded strings
* readline | Reads a line
* readlink | Returns the target of a symbolic link
* scandir | List files and directories inside the specified path
* shm_get_var | Returns a variable from shared memory
* socket_read | Reads a maximum of length bytes from a socket
* sprintf | Return a formatted string
* SQLiteUnbuffered->fetchAll | Fetches all rows from a result set as an array of arrays
* SQLiteUnbuffered->fetch | Fetches the next row from a result set as an array
* SQLiteDatabase->fetchColumnTypes | Return an array of column types from a particular table
* SQLiteUnbuffered->fetchObject | Fetches the next row from a result set as an object
* SQLiteUnbuffered->fetchSingle | Fetches the first column of a result set as a string
* SQLiteDatabase->singleQuery | Executes a query and returns either an array for one single column or the value of the first row
* stripcslashes | Un-quote string quoted with addcslashes()
* stripslashes | Un-quote string quoted with addslashes()
* strval | Get string value of a variable
* sybase_fetch_array | Fetch row as array
* sybase_fetch_assoc | Fetch a result row as an associative array
* sybase_fetch_assoc | Fetch a result row as an associative array
* sybase_fetch_object | Fetch a row as an object
* sybase_fetch_row | Get a result row as an enumerated array
* sybase_result | Get result data
* token_get_all | Split given source into PHP tokens
* unpack | Unpack data from binary string
* vsprintf | Return a formatted string

[PHP5 only]
* convert_uudecode (5) | Returns an uu-decoded string
* iconv_mime_decode | Decodes a MIME-header field
* iconv_mime_decode_headers| Decodes several MIME-header field
* php_strip_whitespace | Return source with stripped comments and whitespace
* SQLiteDatabase->arrayQuery | Execute a query against a given database and returns an array
* stream_get_contents | Reads remainder of a stream into a string
* stream_get_line | Gets line from stream resource up to a given delimiter


No comments: