Security Principles

Variable Checking

Where possible scripts should as quickly as possible check for any needed variables and exit if these are missing. The advantage of exiting if they are missing is to minimise PHP warnings and fatal errors.

New code must use one of these methods to to access all variables passed to a page.

The param class contains 4 methods that can be used to check and clean variables passed to a page:

param::clean()

param::clean($value, $type)

ParameterTypeExplanation
$valuemixedThe value that should be cleaned
$typeintThe type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT

The cleaned value will be returned, or null if it does not match the type passed.

Examples
$val1 = 'Test1 String';
echo param::clean($val1, param::ALPHA); // 'Test String'
echo param::clean($val1, param::ALPHANUM); // 'Test1 String'
echo param::clean($val1, param::INT); // null


$val2 = '2';
echo param::clean($val2, param::ALPHANUM); // '2'
echo param::clean($val2, param::INT); // 2
echo param::clean($val2, param::FLOAT); // 2


$val3 = '2.1';
echo param::clean($val3, param::ALPHANUM); // '2.1'
echo param::clean($val3, param::INT); // null
echo param::clean($val3, param::FLOAT); // 2.1

param::clean_array()

param::clean_array($value, $type, $required)

ParameterTypeExplanation
$valuearrayThe array that should be cleaned
$typeintThe type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT
$requiredbooleanDefault: false. If true and a parameter in the array is not of the required type an exception will be thrown.

Returns an array containing only values of the appropriate type, if required is true a MissingParameter exception will be thrown if any value of the array is not of the required type.

Examples
$array = array(
  '3',
  '4.2',
  array(
    '769',
  ),
);


$clean = param::clean_array($array, param::INT); // Returns: array('3', null, array('769'))
$clean = param::clean_array($array, param::INT, true); // Throws a MissingParameter exception.

param::required()

param::required($name, $type, $from)

ParameterTypeExplanation
$namestringThe name of the parameter to be retrieved
$typeintThe type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT
$fromstringDefault: param::FETCH_REQUEST. Should be one of: param::FETCH_GET, param::FETCH_POST or param::FETCH_REQUEST

Returns the value of the parameter if it is set, throws a MissingParameter exception if the value is either not set, or invalid for the type.

Examples
try {
  $id = param::required('id', param::INT); // Look for the id parameter in both _GET and _POST
  $paperid = param::required('paperID', param::INT, param::FETCH_GET); // Look for paperID in _GET
  $moduleid = param::required('module', param::INT, param::FETCH_POST); // Look for module in _POST
} catch (MissingParameter $e) {
  // Do something when the parameter is not present.
}

param::optional()

param::optional($name, $default, $type, $from)

ParameterTypeExplanation
$namestringThe name of the parameter to be retrieved
$defaultmixedThe value that should be returned if the parameter is not set, or not of the correct type.
$typeintThe type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT
$fromstringDefault: param::FETCH_REQUEST. Should be one of: param::FETCH_GET, param::FETCH_POST or param::FETCH_REQUEST

Returns a value

Examples
$username = param::optional('user', null, param::ALPHANUM);
if (!is_null($username)) {
  // Do something with the username.
}

check_var()

check_var($name, $method, $mandatory, $headers, $return_var, $type)

ParameterTypeExplanation
$namestringThe name of the parameter to be retrieved
$methodstring|arrayShould be one of: param::FETCH_GET, param::FETCH_POST, param::FETCH_REQUEST, or an array
$mandatorybooleanIf true then exit if the variable does not exist
$headersbooleanIf true then output HTML header code on a failure
$return_varbooleanIf true return the value of the tested variable back
$typeintDefault: param::RAW. The type that $value should be cleaned as. It should be passed as one of the param class constants. (Since Rogo 6.3.0)

To check for variables include:

require_once '../include/errors.inc';

To check for a specific variable use:

$labID = check_var('labID', 'POST', true, false, true);

This will look for a variable ('labID') that was submitted using POST and if exists will assign to the local variable `$labID`. If $_POST'labID'] does not exist then a warning is set to the user interface and the script will exit.

Denning Access

For security reasons the warning 'Page not Found' is used in situations where a) the current user is not authorised to see the current page, and b) what is being requested is not found in the database (e.g. paperID=9999999999). This is a security principle so that users do not sniff around to see what data exists and what does not.

Access denied failures are recorded by using the record_access_denied() function which will write to denied_log table. This is useful for SysAdmin users to pick up any patterns of users 'attacking' the system.

Paper Identification

Staff screens can use the internal paper number (e.g. PaperID) and it is OK to pass this around as a GET parameter on URLs. However, any student accessible screen should use 'crypt_name' so that IDs are not guessable.

Database

Rogo has a number of MySQL users with various permissions. After a successful authentication Rogo will switch to an appropriate MySQL user based on the role of the user held within Rogo. So, for example, a member of staff user will use a staff database role and a student a student role. Within the database the permissions that a staff user has on the individual MySQL tables is more extensive than a student. The advantage of this architecture is that a rouge script that tries to do something is should not (i.e. student deleting a user record) will not have the correct database permissions to do so.