RE: [PHP] Mommy, is it true that...?
Ermmm are we forgetting the sprintf function? That is doing exactly what you are trying (and succedding) to accomplish if ($delete && $id) $sql=sprintf("delete from tbl where id = %d",$id); Personally I also use a small extra security if ($delete && $check==md5( . $delete)) $sql=sprintf("delete from tbl where id = %d",$delete); This makes sure that the person is using the correct path. Jerry -Original Message- From: Jaime Bozza [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 7:32 PM To: [EMAIL PROTECTED] Subject: RE: [PHP] Mommy, is it true that...? Another way I validate input is by using settype(); For instance: settype($id, "integer"); I use addslashes and settype on all data coming from a browser that ends up being using in a query. (abs will convert negative numbers, which may be what you want, but then again. ) Jaime Bozza -Original Message- From: Nathan Cassano [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 11:34 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] Mommy, is it true that...? One thing that I do know is dangerous is deleting rows based on an integer field with an unprocessed value; Example: Delete row script By simply appending an all inclusive sql clause. $id = "21421 or 1 = 1"; Ca-Boom! The entire table has been deleted. Don't you feel dumb! Instead process the input. $id = abs($id); -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 5:40 PM To: [EMAIL PROTECTED] Subject: [PHP] Mommy, is it true that...? 2. Please enter your age: 25; drop database mysql Does this actually work? I've read at least a dozen articles telling people to get it in their blood not to trust users and addslashes to any king incoming data, as well as pass it as strings to mysql ("insert into person set age='$age'" instead of "insert into person set age =$age). So I decided I had to test this: I wrote the code exactly as in the example; I provided the exact dangerous input (well, to be honest, I tried a select instead of drop mysql). When I tried it, the presumably dangerous situation degraded into a trivial MySQL error. It went something like "You have an error near '; select 1+1'". Did you ever actually try this? Does it work on your system? Thanks in advance for the input! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] The information contained in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, production, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. The content of the email is not legally binding unless confirmed by letter bearing two authorized signatures. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Mommy, is it true that...?
Another way I validate input is by using settype(); For instance: settype($id, "integer"); I use addslashes and settype on all data coming from a browser that ends up being using in a query. (abs will convert negative numbers, which may be what you want, but then again. ) Jaime Bozza -Original Message- From: Nathan Cassano [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 11:34 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] Mommy, is it true that...? One thing that I do know is dangerous is deleting rows based on an integer field with an unprocessed value; Example: Delete row script By simply appending an all inclusive sql clause. $id = "21421 or 1 = 1"; Ca-Boom! The entire table has been deleted. Don't you feel dumb! Instead process the input. $id = abs($id); -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 5:40 PM To: [EMAIL PROTECTED] Subject: [PHP] Mommy, is it true that...? 2. Please enter your age: 25; drop database mysql Does this actually work? I've read at least a dozen articles telling people to get it in their blood not to trust users and addslashes to any king incoming data, as well as pass it as strings to mysql ("insert into person set age='$age'" instead of "insert into person set age =$age). So I decided I had to test this: I wrote the code exactly as in the example; I provided the exact dangerous input (well, to be honest, I tried a select instead of drop mysql). When I tried it, the presumably dangerous situation degraded into a trivial MySQL error. It went something like "You have an error near '; select 1+1'". Did you ever actually try this? Does it work on your system? Thanks in advance for the input! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Mommy, is it true that...?
Yes, that's a very good one I didn't think of! > One thing that I do know is dangerous is deleting rows based on an > integer field with an unprocessed value; > Ca-Boom! The entire table has been deleted. Don't you feel dumb! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Mommy, is it true that...?
One thing that I do know is dangerous is deleting rows based on an integer field with an unprocessed value; Example: Delete row script By simply appending an all inclusive sql clause. $id = "21421 or 1 = 1"; Ca-Boom! The entire table has been deleted. Don't you feel dumb! Instead process the input. $id = abs($id); -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 5:40 PM To: [EMAIL PROTECTED] Subject: [PHP] Mommy, is it true that...? 2. Please enter your age: 25; drop database mysql Does this actually work? I've read at least a dozen articles telling people to get it in their blood not to trust users and addslashes to any king incoming data, as well as pass it as strings to mysql ("insert into person set age='$age'" instead of "insert into person set age =$age). So I decided I had to test this: I wrote the code exactly as in the example; I provided the exact dangerous input (well, to be honest, I tried a select instead of drop mysql). When I tried it, the presumably dangerous situation degraded into a trivial MySQL error. It went something like "You have an error near '; select 1+1'". Did you ever actually try this? Does it work on your system? Thanks in advance for the input! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Mommy, is it true that...?
On Friday 21 December 2001 02:39, you wrote: I believe (not sure so please clarify) that if your code was if ($pwd == "goodpwd") $lethimin = 1; else $lethimin = 0; the code would be secure. only setting the variable when the pass is correct would be too easy to crack right? since I'd call the page like page.php?lethimin=bla now it's a string with text which evals TRUE which is a major security breach correct? kind regards & happy holidays > Hi everybody! > > Two things I consider urban myths about PHP (plus MySQL) - please let me > know what you think of these: > > 1. The evil global variables > > Ok, the classic >if ($pwd=="GOODPASSWORD") > { > $lethimin=1; > } > [bullshit code] > if ($lethimin) > { > echo(fread(fopen("/etc/passwd","r"))); > } > ?> > is obviously valid. But let's be serious, who codes this? The example > code is valid and it's easily crackable indeed, but you don't do that > kind of thing - you do it in one step. Even if you really need the > bullshit code in there for some obscure reason, this is the log in code > damnit, anybody takes care of that! > > Why I raised this issue is because I think people tend to get paranoid > about PHP. And that happens in both worlds - customers and developers. > Nothing to say about customers, I'd be careful too if I heard some dude > got intoxicated at a McDonald's in Bogota. My problem is with developers > - they got it in their head that variables are your enemy and initialize > everything nowadays - including local variables! > > My question to you guys is this: does anybody know of a real example of > reasonably careful coding led to disaster with global variables? > > 2. Please enter your age: 25; drop database mysql > > Does this actually work? > > I've read at least a dozen articles telling people to get it in their > blood not to trust users and addslashes to any king incoming data, as > well as pass it as strings to mysql ("insert into person set age='$age'" > instead of "insert into person set age =$age). > > So I decided I had to test this: I wrote the code exactly as in the > example; I provided the exact dangerous input (well, to be honest, I > tried a select instead of drop mysql). When I tried it, the presumably > dangerous situation degraded into a trivial MySQL error. It went > something like "You have an error near '; select 1+1'". > > Did you ever actually try this? Does it work on your system? > > Thanks in advance for the input! > > Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Mommy, is it true that...?
At 03:39 AM 12/21/2001 +0200, Bogdan Stancescu wrote: >Hi everybody! > >Two things I consider urban myths about PHP (plus MySQL) - please let me >know what you think of these: > >1. The evil global variables [...] >My question to you guys is this: does anybody know of a real example of >reasonably careful coding led to disaster with global variables? I personally don't, but apparently the PHP developers think it's enough of a risk that they've deprecated register_globals in 4.1.0... >2. Please enter your age: 25; drop database mysql > >Does this actually work? [...] >So I decided I had to test this: I wrote the code exactly as in the >example; I provided the exact dangerous input (well, to be honest, I >tried a select instead of drop mysql). When I tried it, the presumably >dangerous situation degraded into a trivial MySQL error. It went >something like "You have an error near '; select 1+1'". I've done something similar in the past just for kicks, and I got the same result you did (i.e. an error). I believe this is because mysql_query() expects ONE query at a time and will break if you send two or more. I could be completely and totally wrong about that, though (someone please correct me if I am)... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Mommy, is it true that...?
Hi everybody! Two things I consider urban myths about PHP (plus MySQL) - please let me know what you think of these: 1. The evil global variables Ok, the classic is obviously valid. But let's be serious, who codes this? The example code is valid and it's easily crackable indeed, but you don't do that kind of thing - you do it in one step. Even if you really need the bullshit code in there for some obscure reason, this is the log in code damnit, anybody takes care of that! Why I raised this issue is because I think people tend to get paranoid about PHP. And that happens in both worlds - customers and developers. Nothing to say about customers, I'd be careful too if I heard some dude got intoxicated at a McDonald's in Bogota. My problem is with developers - they got it in their head that variables are your enemy and initialize everything nowadays - including local variables! My question to you guys is this: does anybody know of a real example of reasonably careful coding led to disaster with global variables? 2. Please enter your age: 25; drop database mysql Does this actually work? I've read at least a dozen articles telling people to get it in their blood not to trust users and addslashes to any king incoming data, as well as pass it as strings to mysql ("insert into person set age='$age'" instead of "insert into person set age =$age). So I decided I had to test this: I wrote the code exactly as in the example; I provided the exact dangerous input (well, to be honest, I tried a select instead of drop mysql). When I tried it, the presumably dangerous situation degraded into a trivial MySQL error. It went something like "You have an error near '; select 1+1'". Did you ever actually try this? Does it work on your system? Thanks in advance for the input! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]