Re: [PHP] Re: Variables within a string
On Thursday 14 March 2002 14:14, Analysis & Solutions wrote: [snip] > The examples on that page are lame. For example: > >if($HTTP_COOKIE_VARS['username']){ > // can only come from a cookie, forged or otherwise > $good_login = 1; > fpassthru ("/highly/sensitive/data/index.html"); >} [snip] Admittedly the example given in the manual wasn't very good or clear. Let's change the example slightly. if($HTTP_COOKIE_VARS['username']) { // can only come from a cookie, forged or otherwise $good_login = 1; } // later on ... if ($good_login) { fpassthru ("/highly/sensitive/data/index.html"); } else { echo("Hello, you're not logged in!"); } Now if register_globals was ON then it's a simple matter of passing a value in the URL to gain access to the sensitive data without actually having to log in: http://www.domain.com/display_secret_data.php?good_login=1 If register_globals is OFF then the above ploy would not work because good_login would not automatically make it into the variable namespace. Enabling register_globals is nice and convenient but it's very easy to shoot yourself in the foot if you don't track where your variables are coming from, or you don't initialise your variables properly. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk /* Carmel, New York, has an ordinance forbidding men to wear coats and trousers that don't match. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Variables within a string
On Tue, Mar 12, 2002 at 05:42:12PM +0800, Jason Wong wrote: > On Tuesday 12 March 2002 12:27, Analysis & Solutions wrote: > > The source of the data *does* matter. That is why the latest releases of > PHP (> 4.0.6) recommends having register_globals OFF by default. > ... snip snip snip ... > To see why the source of data matters, see the chapter "Security::Using > Register Globals" The examples on that page are lame. For example: if($HTTP_COOKIE_VARS['username']){ // can only come from a cookie, forged or otherwise $good_login = 1; fpassthru ("/highly/sensitive/data/index.html"); } Naturally, just because someone submits a user name doesn't make their submission valid. I know, they're just using that as an example. But, in the real world, you need to first make sure the username submitted fits within your expected parameters of length and character types. Plus, if you're about to put that user name into a query, doesn't contain any characters which will trick the query. Then, you need to check that the user name is valid. Then, and only then, would you permit the user to get the sensitive data. Regardless of where the data comes from, all of those steps need to be taken. Thus, it doesn't matter where the data came from. > But if you don't know where the data came from then it's not secure. Consider > a "real-life" example. Robin Hood steals the Sheriff's ATM card, and the > Sheriff stupidly enough has written the PIN onto the back of the card. Now > Robin can go and withdraw all the money from the Sheriff's account because > the ATM has no way of knowing that the card was stolen (it doesn't know where > the source of the data came from), all it knows is that the data is valid > (right card, right PIN). Hmm. You're correct. At the same time, the point I'm trying to make is not about the person transmitting the data, but rather, the means they're doing so. My issue is the thief would also be able to use that pin to (hypothetically, of course) access the Sheriff's account via debit card purchases in stores, the bank's website and bank-by-phone services. Regardless of the means used to transmit the PIN, the bank still needs to ensure the data is clean before they perform the check to see if the PIN is the right PIN for that account. Enjoy, --Dan -- PHP scripts that make your job easier http://www.analysisandsolutions.com/code/ SQL Solution | Layout Solution | Form Solution T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Variables within a string
On Monday, March 11, 2002, at 10:34 PM, Jason Wong wrote: >>> On Monday 11 March 2002 11:10, Chris Cocuzzo wrote: $foo = "Entry for " . $HTTP_POST_VARS["name"]; >>> >>> $foo = "Entry for for $HTTP_POST_VARS[name]"; >> >> But that's not good programming. Associative arrays should have the >> key >> quoted in order to avoid confusion with contants. See >> http://www.php.net/manual/en/language.types.array.php#language.types.array. >> donts > > Inside of double-quoted strings there is no need to single-quote the > array > key (in fact it can't be done, gives syntax error). The section of the > manual > you quoted states this :) I thought that it could be done like so: $foo = "Entry for {$HTTP_POST_VARS['name']}"; Sorry for butting in, Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Variables within a string
I love your example.. > But if you don't know where the data came from then it's not secure. > Consider a "real-life" example. Robin Hood steals the Sheriff's ATM card, > and the Sheriff stupidly enough has written the PIN onto the back of the > card. Now Robin can go and withdraw all the money from the Sheriff's > account because the ATM has no way of knowing that the card was stolen (it > doesn't know where the source of the data came from), all it knows is that > the data is valid (right card, right PIN). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Variables within a string
On Tuesday 12 March 2002 12:27, Analysis & Solutions wrote: > > For security reasons. To make sure the variable did come from POSTing a > > form and not from the URL. > > Neither is more or less secure. The source of the data doesn't matter. The source of the data *does* matter. That is why the latest releases of PHP (> 4.0.6) recommends having register_globals OFF by default. That is also why instead of the cumbersome $HTTP_POST_VARS[] (etc) it's been changed to a much shorter $_POST[]. And to further encourage you to use the new form, $_POST[], $GET[] etc have been made "super global" so they can be used directly inside functions without having to declare them as global. To see why the source of data matters, see the chapter "Security::Using Register Globals" > Regardless of where the info is from, validating user input is the only > way to ensure security. But if you don't know where the data came from then it's not secure. Consider a "real-life" example. Robin Hood steals the Sheriff's ATM card, and the Sheriff stupidly enough has written the PIN onto the back of the card. Now Robin can go and withdraw all the money from the Sheriff's account because the ATM has no way of knowing that the card was stolen (it doesn't know where the source of the data came from), all it knows is that the data is valid (right card, right PIN). -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk /* Let not the sands of time get in your lunch. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Variables within a string
On Tue, Mar 12, 2002 at 11:34:14AM +0800, Jason Wong wrote: > On Tuesday 12 March 2002 11:11, Analysis & Solutions wrote: > > On Mon, Mar 11, 2002 at 08:39:16PM -0500, webapprentice wrote: > > > From: Jason Wong <[EMAIL PROTECTED]> > > > > > > On Monday 11 March 2002 11:10, Chris Cocuzzo wrote: > > > > $foo = "Entry for " . $HTTP_POST_VARS["name"]; > > > > > > $foo = "Entry for for $HTTP_POST_VARS[name]"; > > > > But that's not good programming. Associative arrays should have the key > > quoted in order to avoid confusion with contants. > > Inside of double-quoted strings there is no need to single-quote the array > key (in fact it can't be done, gives syntax error). The section of the manual > you quoted states this :) Yes. Quoting the array key inside a string is not correct. Never said it was. Now that I think about it, though, if you use the associative array inside a string, there's no way the string key can be confused with a constant, so the main point of my initial post is mute. So, you're right that the following is kosher: $foo = "Entry for for $HTTP_POST_VARS[name]"; > For security reasons. To make sure the variable did come from POSTing a form > and not from the URL. Neither is more or less secure. The source of the data doesn't matter. Regardless of where the info is from, validating user input is the only way to ensure security. Enjoy, --Dan -- PHP scripts that make your job easier http://www.analysisandsolutions.com/code/ SQL Solution | Layout Solution | Form Solution T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Variables within a string
On Tuesday 12 March 2002 11:11, Analysis & Solutions wrote: > On Mon, Mar 11, 2002 at 08:39:16PM -0500, webapprentice wrote: > > From: Jason Wong <[EMAIL PROTECTED]> > > > > On Monday 11 March 2002 11:10, Chris Cocuzzo wrote: > > > $foo = "Entry for " . $HTTP_POST_VARS["name"]; > > > > $foo = "Entry for for $HTTP_POST_VARS[name]"; > > But that's not good programming. Associative arrays should have the key > quoted in order to avoid confusion with contants. See > http://www.php.net/manual/en/language.types.array.php#language.types.array. >donts Inside of double-quoted strings there is no need to single-quote the array key (in fact it can't be done, gives syntax error). The section of the manual you quoted states this :) [snip] > Now, I wonder why you're even assigning this information to yet another > varialbe. Why not just use the information straight up?: >echo "Entry for for $name"; > > Of course, there are legitimate reasons for your approach, but often new > programmers needlessly assign stuff to varialbes. Just making sure. For security reasons. To make sure the variable did come from POSTing a form and not from the URL. > Finally, if you really want to use $HTTP_POST_VARS[] AND your'e > running PHP 4.1*, consider using the superglobal $_POST[] instead. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk /* Nobody knows what goes between his cold toes and his warm ears. -- Roy Harper */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php