php-general Digest 7 Sep 2011 10:30:41 -0000 Issue 7470
Topics (messages 314720 through 314723):
Re: REQUEST and COOKIE
314720 by: James Yerge
dev to production server
314721 by: Chris Stinemetz
mysql_fetch_object() equivalent for mongoDB
314722 by: chamila gayan
PHP sessions expiring early
314723 by: Paul Waring
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On 09/06/2011 05:47 PM, ALEJANDRO ZAPIOLA wrote:
> Seeing the $_REQUEST[] and it is a matrix that has the content of $_GET,
> $_POST and $_COOKIE, I think this can be used maliciously into the script.
> i.e.:
> request1.php
> <?php
> setCookie("name","alejandro");
> echo "<script>location.href='request2.php'</script>";
> ?>
>
> In this case, I'm setting the variable 'name' with value 'Alejandro', then
> redirects to request2.php
> request2.php
> ?php
> print_r($_COOKIE);
> echo "<br>";
> print_r($_REQUEST);
> echo "<br>";
> if(@$_REQUEST['name'] == "admin"){
> echo "I am admin";
> }else{
> echo "You can not see this page";
> }
> ?>
>
> Here's the problem. The variable called 'name' is into REQUEST context, and
> this is accessible by GET and POST methods, and it is accessible by the
> COOKIE matrix as well. In this case, use Request is unsafe because I can
> change the variable called 'name' via GET method and it's give me access as
> admin.
>
> Mi question is: I do not see the good practice of using COOKIE values into
> of REQUEST, what I mean is that it can become in a programming bug. Also I
> could not fin answers anywhere else.
>
> thoughts?
> Thanks!
>
Why would you use this method to for authentication or validation? By
default, $_REQUEST is populated with the $_GET, $_POST and $_COOKIE
contents, which could potentially be modified by the remote user, which
in turns makes the data not trustworthy.
Never trust input data, ever, it must be sanitized, scrubbed, etc before
even considering it trustworthy - in my opinion.
As for your question, it makes complete sense to populate $_REQUEST with
$_GET, $_POST and $_COOKIE contents by default because the three call in
the REQUEST category for the HTTP protocol. Since the cookie was sent by
the server, the COOKIE header is going to be evident in the REQUEST headers.
Therefore, the only way a bug is going to be introduced and security
breached is by the author of the code ;)
http://us.php.net/manual/en/reserved.variables.request.php
The PHP team even makes mention that the contents of $_REQUEST cannot be
trusted.
James
--- End Message ---
--- Begin Message ---
Does anyone have a procedure or know of any tutorials that explain how
to take a mac/apache/php/mysql dev environment and converting it to
production environment?
Basically I want to host my own web site on my local machine now that
I have finished developing it.
Thanks in advance!
--- End Message ---
--- Begin Message ---
hi all,
Is anybody aware of mysql_fetch_object() equivalent/similar implementation
for mongoDB?
we are looking for the most efficient way to store and load a php object
with mongoDB. really appreciate if you can share your experience on this.
thanks..
~Chamila Gayan
--- End Message ---
--- Begin Message ---
I'm having trouble with a PHP website which requires users to be logged
in to access all content other than the home page and a couple of static
pages (about us, contact us etc.). Several users have said they are
being logged out every few minutes whilst using the site - they can
login but will be shown the login form again after a few minutes. I
can't confirm this myself as the site seems to work fine for me - even
using the same browser as they are and under their accounts - but I'm
wondering if this could be a problem with the session settings?
The current settings I have are:
session.auto_start Off
session.bug_compat_42 On
session.bug_compat_warn On
session.cache_expire 180
session.cache_limiter nocache
session.cookie_domain no value
session.cookie_httponly Off
session.cookie_lifetime 0
session.cookie_path /
session.cookie_secure Off
session.entropy_file no value
session.entropy_length 0
session.gc_divisor 100
session.gc_maxlifetime 3600
session.gc_probability 1
session.hash_bits_per_character 4
session.hash_function 0
session.name PHPSESSID
session.referer_check no value
session.save_handler files
session.save_path /shared/sessions
session.serialize_handler php
session.use_cookies On
session.use_only_cookies Off
session.use_trans_sid 0
The only options I have changed from the defaults are gc_maxlifetime,
gc_probability and save_path. There are several sites on the same
server, some are https, others just plain http. They all use the same
session options. session_start() is called once on every page.
The PHP version we're running is: PHP 5.2.6-1+lenny13 with Suhosin-Patch
0.9.6.2 (cli) (built: Jul 1 2011 16:01:01). I'm aware it's an old
version before anyone tells me to upgrade (it's the latest stable
version in Debian Lenny). :)
Potential problems I have already ruled out:
1. I don't think it's a browser problem as the users have a variety of
browsers and versions (we log the user agent for each login, they're
mostly IE7/8 on XP/Vista/7 with a few Chrome users), and I can't
reproduce the problem using the same browsers on my machine.
2. The server time is correct.
3. The sessions aren't stored in a directory which is being regularly
cleared out, such as /var/lib/php5 or /tmp.
4. The web server has permission to write to the save_path directory,
and I can see session files being created.
5. No output buffering functions are being used.
Can anyone suggest things which I could try? I cannot work out why this
problem is happening for some users but not me.
Thanks in advance.
Paul
--
Paul Waring
http://www.phpdeveloper.org.uk
--- End Message ---
