On Wednesday 01 August 2001 10:20, Richard Lynch wrote:
>�>> But I'm not
>�>> using eval()
>�>> directly on user entered data, and I can't see where it is possible.
>
>�Yes, you are.
>
>�pass1 is coming from the user, is it not?
>
>�You are using eval() to decide if pass1 and pass2 are equal, are you not?
>
>�You are therefore directly eval-ing user code.
>
>�> "register_globals=off" in your php.ini and use $HTTP_*_VARS.
>
>�Sigh. �This does *NOT* provide *ANY* protection *WHATSOEVER*.
>
>�The user can *STILL* POST malicious data, and you are *STILL* going to
>�eval() it.
Aactually the eval()ed string would be:
eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]')
So there is no direct eval on the user data. I'm also using single quotes so
no special meaning chars would be expanded.
>�I REPEAT:
>
>�register_globals off and HTTP_xxx_VARS being more "secure" is a gross
>�exaggeration.
>
>�It will only trip the dumbest of the dumb trying to crack your site --
>�We're talking lower than script-kiddies. �Think Joe Sixpack and Betsy Buick
>�here. Normal users who have noticed those funky things in URLs and decided
>�to play around with them on FORMs to see what they can do.
>
>�A *REAL* script-kiddie (did I just say that?) would take your HTML FORM,
>�edit it in NotePad, and then POST their malicious data and your
>�HTTP_POST_VARS have *bad* things in it.
Yes and I agree with you (see the answer to Yauso). The only concern is GPC
vars overwriting script vars, and as mentioned I unset those var before
assigning them a value or before using session register to get their values.
--
Kriheli Meir
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
