php-general Digest 6 Sep 2011 21:47:39 -0000 Issue 7469

2011-09-06 Thread php-general-digest-help 

php-general Digest 6 Sep 2011 21:47:39 - Issue 7469

Topics (messages 314718 through 314719):

Learn how to have a smooth skin
314718 by: Learn how to have a smooth skin

REQUEST and COOKIE
314719 by: ALEJANDRO ZAPIOLA

Administrivia:

To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net

To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net

To post to the list, e-mail:
php-gene...@lists.php.net


--
---BeginMessage---
Learn how to have a smooth skin.

http://www.removehair.xhost.ro


---End Message---
---BeginMessage---
Seeing the $_REQUEST[] and it is a matrix that has the content of $_GET,
$_POST and $_COOKIE, I think this can be used maliciously into the script.
i.e.:
request1.php
?php
setCookie(name,alejandro);
echo scriptlocation.href='request2.php'/script;
?

In this case, I'm setting the variable 'name' with value 'Alejandro', then
redirects to request2.php
request2.php
?php
print_r($_COOKIE);
echo br;
print_r($_REQUEST);
echo br;
if(@$_REQUEST['name'] == admin){
echo I am admin;
}else{
echo You can not see this page;
}
?

Here's the problem. The variable called 'name' is into REQUEST context, and
this is accessible by GET and POST methods, and it is accessible by the
COOKIE matrix as well. In this case, use Request is unsafe because I can
change the variable called 'name' via GET method and it's give me access as
admin.

Mi question is: I do not see the good practice of using COOKIE values into
of REQUEST, what I mean is that it can become in a programming bug. Also I
could not fin answers anywhere else.

thoughts?
Thanks!
---End Message---

[PHP] REQUEST and COOKIE

2011-09-06 Thread ALEJANDRO ZAPIOLA 
Seeing the $_REQUEST[] and it is a matrix that has the content of $_GET,
$_POST and $_COOKIE, I think this can be used maliciously into the script.
i.e.:
request1.php
?php
setCookie(name,alejandro);
echo scriptlocation.href='request2.php'/script;
?

In this case, I'm setting the variable 'name' with value 'Alejandro', then
redirects to request2.php
request2.php
?php
print_r($_COOKIE);
echo br;
print_r($_REQUEST);
echo br;
if(@$_REQUEST['name'] == admin){
echo I am admin;
}else{
echo You can not see this page;
}
?

Here's the problem. The variable called 'name' is into REQUEST context, and
this is accessible by GET and POST methods, and it is accessible by the
COOKIE matrix as well. In this case, use Request is unsafe because I can
change the variable called 'name' via GET method and it's give me access as
admin.

Mi question is: I do not see the good practice of using COOKIE values into
of REQUEST, what I mean is that it can become in a programming bug. Also I
could not fin answers anywhere else.

thoughts?
Thanks!

Re: [PHP] REQUEST and COOKIE

2011-09-06 Thread James Yerge 
On 09/06/2011 05:47 PM, ALEJANDRO ZAPIOLA wrote:
 Seeing the $_REQUEST[] and it is a matrix that has the content of $_GET,
 $_POST and $_COOKIE, I think this can be used maliciously into the script.
 i.e.:
 request1.php
 ?php
 setCookie(name,alejandro);
 echo scriptlocation.href='request2.php'/script;
 ?

 In this case, I'm setting the variable 'name' with value 'Alejandro', then
 redirects to request2.php
 request2.php
 ?php
 print_r($_COOKIE);
 echo br;
 print_r($_REQUEST);
 echo br;
 if(@$_REQUEST['name'] == admin){
 echo I am admin;
 }else{
 echo You can not see this page;
 }
 ?

 Here's the problem. The variable called 'name' is into REQUEST context, and
 this is accessible by GET and POST methods, and it is accessible by the
 COOKIE matrix as well. In this case, use Request is unsafe because I can
 change the variable called 'name' via GET method and it's give me access as
 admin.

 Mi question is: I do not see the good practice of using COOKIE values into
 of REQUEST, what I mean is that it can become in a programming bug. Also I
 could not fin answers anywhere else.

 thoughts?
 Thanks!



Why would you use this method to for authentication or validation? By
default, $_REQUEST is populated with the $_GET, $_POST and $_COOKIE
contents, which could potentially be modified by the remote user, which
in turns makes the data not trustworthy.

Never trust input data, ever, it must be sanitized, scrubbed, etc before
even considering it trustworthy - in my opinion.

As for your question, it makes complete sense to populate $_REQUEST with
$_GET, $_POST and $_COOKIE contents by default because the three call in
the REQUEST category for the HTTP protocol. Since the cookie was sent by
the server, the COOKIE header is going to be evident in the REQUEST headers.

Therefore, the only way a bug is going to be introduced and security
breached is by the author of the code ;)

http://us.php.net/manual/en/reserved.variables.request.php

The PHP team even makes mention that the contents of $_REQUEST cannot be
trusted.

James

[PHP] dev to production server

2011-09-06 Thread Chris Stinemetz 
Does anyone have a procedure or know of any tutorials that explain how
to take a mac/apache/php/mysql dev environment and converting it to
production environment?

Basically I want to host my own web site on my local machine now that
I have finished developing it.

Thanks in advance!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php