Skip to content
Snippets Groups Projects
Select Git revision
  • develop default
  • F20915-excel-import-named-columns
  • F20931-inotify-service-file
  • B13659-Sanatize-class-for-reserved-keyword-in-report
  • F11523-Dynamic-Update-Upload-Element
  • F7660_imap
  • F12603-Select-Radio-Checkbox-Presistent-Value
  • S20463-V-Store-not-updated-after-form-save
  • B18601-typeahead-sanatize-applied-to-value
  • F8044-Transactions
  • B16994-Stacktrace-in-QFQ-error-message
  • F20741-trigger-script
  • F20249_remove_AbstractBuildForm_and_BuildFormBootstrap
  • selenium-nov
  • F17481_BS_Modal_window
  • F8962-Allow-for-duplicate-form-names
  • F12532-view-sip-in-Browser-consol-log
  • F14869GenericBackButton
  • F18314_custom_progress_timelines
  • F16849-restrict-sender-addresses
  • v24.12.0
  • v24.10.0
  • v24.7.0
  • v24.5.1
  • v24.5.0
  • v24.3.0
  • test-alfred20
  • v23.10.1
  • v23.10.0
  • v23.6.4
  • v23.6.3
  • v23.6.2
  • v23.6.1
  • v23.6.0
  • v23.3.1
  • v23.3.0
  • v23.2.0
  • v23.1.1
  • v23.1.0
  • v22.12.1
40 results
Blame Permalink
Security.rst 7.36 KiB

Security

All values passed to QFQ will be:

  • Checked against max. length and allowed content, on the client and on the server side. On the server side, the check happens before any further processing. The 'length' and 'allowed' content is specified per FormElement. 'digit' or 'alnumx' is the default. Violating the rules will stop the 'save record' process (Form) or result in an empty value (Report). If a variable is not replaced, check the default sanitize class.
  • Only elements defined in the Form definition or requested by Report will be processed.
  • UTF8 normalized (normalizer::normalize) to unify different ways of composing characters. It's more a database interest, to work with unified data.

SQL statements are typically fired as prepared statements with separated variables. Further custom SQL statements will be defined by the webmaster - those do not use prepared statements and might be affected by SQL injection. To prevent SQL injection, every variable is by default escaped with mysqli::real_escape_string.

QFQ notice:

  • Variables passed by the client (=Browser) are untrusted and use the default sanitize class 'digit' (if nothing else is specified). If alpha characters are submitted, the content violates digit and becomes therefore !!<name of sanitize class>!! - there is no error message. Best is to always use SIP (value is trustful) or at least digits for GET (=client) parameter (user might change those and therefore those are not trustful).

Get Parameter

QFQ security restriction:

  • GET parameter might contain urlencoded content (%xx). Therefore all GET parameter will be processed by 'urldecode()'. As a result a text like '%nn' in GET variables will always be decoded. It's not possible to transfer '%nn' itself.
  • GET values are limited to securityGetMaxLength (:ref:`extension-manager-qfq-configuration`) chars - any violation will stop QFQ. Individual exceptions are defined via :ref:`ExceptionMaxLength`.
  • GET parameter 'type' and 'L' might affected by (T3, configuration dependent) cache poisoning. If they contain non digit values, only the first character is used (if this is a digit) or completely cleaned (else).