Hash: SHA1

On Friday 25 October 2002 11:23 am, Johnson, Kirk wrote:
> > And what should these precautions be?  If a malicious user can submit
> > his own form and you are looking for a POST variable, how can you
> > ensure that $admin came from your form and not that user's?
> The problem is when a cracker uses form variables in an attempt to set the
> values of "flag" variables kept only in the session, for example, $isAdmin.
> As far as the form variables *you* put in your form, it doesn't matter
> whether the user submits your form or a form they made themselves. Those
> form variables are just data you are trying to collect.
> With register_globals on, PHP takes *all* variables (GET, POST, COOKIE)
> received from the client and assigns them to global variables. So if the
> user posts a value for $isAdmin, she can give herself admin privileges.
> The key is to retrieve *only* the form variables *you* put in the form from
> the the $_POST array. So don't write a loop and grab *everything* from that
> array.
> Kirk

Exactly! Not only should you retrieve *only* the vars you need from POST,
you should also filter them to make sure they contain what you're looking 
for.....is_alpha($_POST['name']). And no, php doesn't have an 'is_alpha' 
function....I created that as part of a filtering class.


- -- 
~Paul Nicholson
Design Specialist @ WebPower Design
"The web....the way you want it!"

"It said uses Windows 98 or better, so I loaded Linux!"
Registered Linux User #183202 using Register Linux System # 81891
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to