RE: [PHP] Mommy, is it true that...?
Ermmm are we forgetting the sprintf function? That is doing exactly what you
are trying (and succedding) to accomplish
if ($delete $id)
$sql=sprintf(delete from tbl where id = %d,$id);
Personally I also use a small extra security
if ($delete $check==md5(SECURITYWORD . $delete))
$sql=sprintf(delete from tbl where id = %d,$delete);
This makes sure that the person is using the correct path.
Jerry
-Original Message-
From: Jaime Bozza [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 21, 2001 7:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Mommy, is it true that...?
Another way I validate input is by using settype();
For instance:
settype($id, integer);
I use addslashes and settype on all data coming from a browser that ends
up being using in a query.
(abs will convert negative numbers, which may be what you want, but then
again. G)
Jaime Bozza
-Original Message-
From: Nathan Cassano [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 21, 2001 11:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Mommy, is it true that...?
One thing that I do know is dangerous is deleting rows based on an
integer field with an unprocessed value;
Example: Delete row script
?
if($delete $id){
delete from mytable where id = $id;
}
?
By simply appending an all inclusive sql clause.
$id = 21421 or 1 = 1;
Ca-Boom! The entire table has been deleted. Don't you feel dumb!
Instead process the input.
$id = abs($id);
-Original Message-
From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 5:40 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Mommy, is it true that...?
2. Please enter your age: 25; drop database mysql
Does this actually work?
I've read at least a dozen articles telling people to get it in their
blood not to trust users and addslashes to any king incoming data, as
well as pass it as strings to mysql (insert into person set age='$age'
instead of insert into person set age =$age).
So I decided I had to test this: I wrote the code exactly as in the
example; I provided the exact dangerous input (well, to be honest, I
tried a select instead of drop mysql). When I tried it, the presumably
dangerous situation degraded into a trivial MySQL error. It went
something like You have an error near '; select 1+1'.
Did you ever actually try this? Does it work on your system?
Thanks in advance for the input!
Bogdan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] To
contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
The information contained in this email is confidential and
may be legally privileged. It is intended solely for the
addressee. Access to this email by anyone else is
unauthorized. If you are not the intended recipient, any
form of disclosure, production, distribution or any action
taken or refrained from in reliance on it, is prohibited and
may be unlawful. Please notify the sender immediately.
The content of the email is not legally binding unless
confirmed by letter bearing two authorized signatures.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Mommy, is it true that...?
On Friday 21 December 2001 02:39, you wrote:
I believe (not sure so please clarify) that if your code was
if ($pwd == goodpwd) $lethimin = 1;
else $lethimin = 0;
the code would be secure. only setting the variable when the pass is correct
would be too easy to crack right? since I'd call the page like
page.php?lethimin=bla
now it's a string with text which evals TRUE which is a major security breach
correct?
kind regards happy holidays
Hi everybody!
Two things I consider urban myths about PHP (plus MySQL) - please let me
know what you think of these:
1. The evil global variables
Ok, the classic
?
if ($pwd==GOODPASSWORD)
{
$lethimin=1;
}
[bullshit code]
if ($lethimin)
{
echo(fread(fopen(/etc/passwd,r)));
}
?
is obviously valid. But let's be serious, who codes this? The example
code is valid and it's easily crackable indeed, but you don't do that
kind of thing - you do it in one step. Even if you really need the
bullshit code in there for some obscure reason, this is the log in code
damnit, anybody takes care of that!
Why I raised this issue is because I think people tend to get paranoid
about PHP. And that happens in both worlds - customers and developers.
Nothing to say about customers, I'd be careful too if I heard some dude
got intoxicated at a McDonald's in Bogota. My problem is with developers
- they got it in their head that variables are your enemy and initialize
everything nowadays - including local variables!
My question to you guys is this: does anybody know of a real example of
reasonably careful coding led to disaster with global variables?
2. Please enter your age: 25; drop database mysql
Does this actually work?
I've read at least a dozen articles telling people to get it in their
blood not to trust users and addslashes to any king incoming data, as
well as pass it as strings to mysql (insert into person set age='$age'
instead of insert into person set age =$age).
So I decided I had to test this: I wrote the code exactly as in the
example; I provided the exact dangerous input (well, to be honest, I
tried a select instead of drop mysql). When I tried it, the presumably
dangerous situation degraded into a trivial MySQL error. It went
something like You have an error near '; select 1+1'.
Did you ever actually try this? Does it work on your system?
Thanks in advance for the input!
Bogdan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Mommy, is it true that...?
One thing that I do know is dangerous is deleting rows based on an
integer field with an unprocessed value;
Example: Delete row script
?
if($delete $id){
delete from mytable where id = $id;
}
?
By simply appending an all inclusive sql clause.
$id = 21421 or 1 = 1;
Ca-Boom! The entire table has been deleted. Don't you feel dumb!
Instead process the input.
$id = abs($id);
-Original Message-
From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 5:40 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Mommy, is it true that...?
2. Please enter your age: 25; drop database mysql
Does this actually work?
I've read at least a dozen articles telling people to get it in their
blood not to trust users and addslashes to any king incoming data, as
well as pass it as strings to mysql (insert into person set age='$age'
instead of insert into person set age =$age).
So I decided I had to test this: I wrote the code exactly as in the
example; I provided the exact dangerous input (well, to be honest, I
tried a select instead of drop mysql). When I tried it, the presumably
dangerous situation degraded into a trivial MySQL error. It went
something like You have an error near '; select 1+1'.
Did you ever actually try this? Does it work on your system?
Thanks in advance for the input!
Bogdan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Mommy, is it true that...?
Yes, that's a very good one I didn't think of! One thing that I do know is dangerous is deleting rows based on an integer field with an unprocessed value; Ca-Boom! The entire table has been deleted. Don't you feel dumb! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Mommy, is it true that...?
Another way I validate input is by using settype();
For instance:
settype($id, integer);
I use addslashes and settype on all data coming from a browser that ends
up being using in a query.
(abs will convert negative numbers, which may be what you want, but then
again. G)
Jaime Bozza
-Original Message-
From: Nathan Cassano [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 21, 2001 11:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Mommy, is it true that...?
One thing that I do know is dangerous is deleting rows based on an
integer field with an unprocessed value;
Example: Delete row script
?
if($delete $id){
delete from mytable where id = $id;
}
?
By simply appending an all inclusive sql clause.
$id = 21421 or 1 = 1;
Ca-Boom! The entire table has been deleted. Don't you feel dumb!
Instead process the input.
$id = abs($id);
-Original Message-
From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 5:40 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Mommy, is it true that...?
2. Please enter your age: 25; drop database mysql
Does this actually work?
I've read at least a dozen articles telling people to get it in their
blood not to trust users and addslashes to any king incoming data, as
well as pass it as strings to mysql (insert into person set age='$age'
instead of insert into person set age =$age).
So I decided I had to test this: I wrote the code exactly as in the
example; I provided the exact dangerous input (well, to be honest, I
tried a select instead of drop mysql). When I tried it, the presumably
dangerous situation degraded into a trivial MySQL error. It went
something like You have an error near '; select 1+1'.
Did you ever actually try this? Does it work on your system?
Thanks in advance for the input!
Bogdan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] To
contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Mommy, is it true that...?
Hi everybody!
Two things I consider urban myths about PHP (plus MySQL) - please let me
know what you think of these:
1. The evil global variables
Ok, the classic
?
if ($pwd==GOODPASSWORD)
{
$lethimin=1;
}
[bullshit code]
if ($lethimin)
{
echo(fread(fopen(/etc/passwd,r)));
}
?
is obviously valid. But let's be serious, who codes this? The example
code is valid and it's easily crackable indeed, but you don't do that
kind of thing - you do it in one step. Even if you really need the
bullshit code in there for some obscure reason, this is the log in code
damnit, anybody takes care of that!
Why I raised this issue is because I think people tend to get paranoid
about PHP. And that happens in both worlds - customers and developers.
Nothing to say about customers, I'd be careful too if I heard some dude
got intoxicated at a McDonald's in Bogota. My problem is with developers
- they got it in their head that variables are your enemy and initialize
everything nowadays - including local variables!
My question to you guys is this: does anybody know of a real example of
reasonably careful coding led to disaster with global variables?
2. Please enter your age: 25; drop database mysql
Does this actually work?
I've read at least a dozen articles telling people to get it in their
blood not to trust users and addslashes to any king incoming data, as
well as pass it as strings to mysql (insert into person set age='$age'
instead of insert into person set age =$age).
So I decided I had to test this: I wrote the code exactly as in the
example; I provided the exact dangerous input (well, to be honest, I
tried a select instead of drop mysql). When I tried it, the presumably
dangerous situation degraded into a trivial MySQL error. It went
something like You have an error near '; select 1+1'.
Did you ever actually try this? Does it work on your system?
Thanks in advance for the input!
Bogdan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Mommy, is it true that...?
At 03:39 AM 12/21/2001 +0200, Bogdan Stancescu wrote: Hi everybody! Two things I consider urban myths about PHP (plus MySQL) - please let me know what you think of these: 1. The evil global variables [...] My question to you guys is this: does anybody know of a real example of reasonably careful coding led to disaster with global variables? I personally don't, but apparently the PHP developers think it's enough of a risk that they've deprecated register_globals in 4.1.0... 2. Please enter your age: 25; drop database mysql Does this actually work? [...] So I decided I had to test this: I wrote the code exactly as in the example; I provided the exact dangerous input (well, to be honest, I tried a select instead of drop mysql). When I tried it, the presumably dangerous situation degraded into a trivial MySQL error. It went something like You have an error near '; select 1+1'. I've done something similar in the past just for kicks, and I got the same result you did (i.e. an error). I believe this is because mysql_query() expects ONE query at a time and will break if you send two or more. I could be completely and totally wrong about that, though (someone please correct me if I am)... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
