I'm devastated to hear that extract($_POST) or extract($_GET) are security
risks because that's the method I went with for a bunch of scripts I'm
writing now. But I don't understand how this...
$admin = $_POST['admin'];
... is more secure? Isn't the security risk that they can hijack your var
data? If so, I don't see how the above would make it possible to know
whether the data in $_POST isn't coming from your own scripts. Especially
for forms where it's not really efficient to validate every possibility for
a field, such as a Country field.
But maybe I'm missing the point, and if so I'd like to understand so I can
make my scripts more secure when passing data. It seems like I will need to
basically re-define every form field and GET variable at the beginning of
each script literally.
Monty
> From: [EMAIL PROTECTED] (Mike Ford)
> Newsgroups: php.general
> Date: Thu, 24 Oct 2002 18:41:04 +0100
> To: "'1LT John W. Holmes'" <[EMAIL PROTECTED]>, Rick Emery
> <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: RE: [PHP] extract($_POST)
>
>> -----Original Message-----
>> From: 1LT John W. Holmes [mailto:holmes072000@;charter.net]
>> Sent: 23 October 2002 19:51
>>
>> Say you have something like this:
>>
>> if($_POST['name'] == "John")
>> { $admin = TRUE; }
>>
>> if($admin)
>> { show_sensitive_data(); }
>>
>> Now, if you're using extract(), I can send $admin through the
>> post data and
>> you'll extract it into your script. That's where the security
>> flaw lies, but
>> the flaw is in the programming, not PHP.
>>
>> You can have a secure example by doing this:
>>
>> $admin = FALSE;
>> if($_POST['name'] == "John")
>> { $admin = TRUE; }
>
> Or just $admin = $_POST['name']=="John";
>
> Actually, I'd also collapse this into the subsequent if, and write it like
> this:
>
> if ($admin = $_POST['name']=="John"):
> show_sensitive_data();
> endif;
>
> I love languages where assignments are expressions!
>
> Cheers!
>
> Mike
>
> ---------------------------------------------------------------------
> Mike Ford, Electronic Information Services Adviser,
> Learning Support Services, Learning & Information Services,
> JG125, James Graham Building, Leeds Metropolitan University,
> Beckett Park, LEEDS, LS6 3QS, United Kingdom
> Email: [EMAIL PROTECTED]
> Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
