$_GET is definately insecure because the user can insert values into the URL line, 
which may expose data which should be secure (depending upon how you've written your 

$_POST is more secure, if you add additional protective coding.  An excellent example 
was provided a couple days ago.  In the following, assume $admin must be set to 
"trustme" and is set from a form:

INSECURE method 1:
if( ISSET($admin) )
    print $sensitive_data;

INSECURE method 2:
if( $admin=="trustme" )
    print $sensitive data;

$admin = "";
if( $admin == "trustme" )
    print $sensitive_data;

The insecure methods can be fooled by the user guessing/inserting a variable named 
$admin, set to "trustme" in the URL.

The more secure method ensures it MUST come from a form.  Be advised: the user can 
create his own form with $admin as a variable and submit it to your PHP script.  
Therefore, additional precautions and authentication are warranted.

----- Original Message ----- 
From: "Monty" <[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 12:37 AM
Subject: Re: [PHP] extract($_POST)

I'm devastated to hear that extract($_POST) or extract($_GET) are security
risks because that's the method I went with for a bunch of scripts I'm
writing now. But I don't understand how this...

    $admin = $_POST['admin'];

... is more secure? Isn't the security risk that they can hijack your var
data? If so, I don't see how the above would make it possible to know
whether the data in $_POST isn't coming from your own scripts. Especially
for forms where it's not really efficient to validate every possibility for
a field, such as a Country field.

But maybe I'm missing the point, and if so I'd like to understand so I can
make my scripts more secure when passing data. It seems like I will need to
basically re-define every form field and GET variable at the beginning of
each script literally.


> From: [EMAIL PROTECTED] (Mike Ford)
> Newsgroups: php.general
> Date: Thu, 24 Oct 2002 18:41:04 +0100
> To: "'1LT John W. Holmes'" <[EMAIL PROTECTED]>, Rick Emery
> Subject: RE: [PHP] extract($_POST)
>> -----Original Message-----
>> From: 1LT John W. Holmes [mailto:holmes072000@;charter.net]
>> Sent: 23 October 2002 19:51
>> Say you have something like this:
>> if($_POST['name'] == "John")
>> { $admin = TRUE; }
>> if($admin)
>> { show_sensitive_data(); }
>> Now, if you're using extract(), I can send $admin through the
>> post data and
>> you'll extract it into your script. That's where the security
>> flaw lies, but
>> the flaw is in the programming, not PHP.
>> You can have a secure example by doing this:
>> $admin = FALSE;
>> if($_POST['name'] == "John")
>> { $admin = TRUE; }
> Or just $admin = $_POST['name']=="John";
> Actually, I'd also collapse this into the subsequent if, and write it like
> this:
> if ($admin = $_POST['name']=="John"):
> show_sensitive_data();
> endif;
> I love languages where assignments are expressions!
> Cheers!
> Mike
> ---------------------------------------------------------------------
> Mike Ford,  Electronic Information Services Adviser,
> Learning Support Services, Learning & Information Services,
> JG125, James Graham Building, Leeds Metropolitan University,
> Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
> Tel: +44 113 283 2600 extn 4730      Fax:  +44 113 283 3211 

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to