On Tue, Apr 7, 2009 at 10:34 PM, Konstantin Rozinov <[email protected]>wrote:
> On Mon, Apr 6, 2009 at 12:47 AM, Brian Williams <[email protected]> > wrote: > > > > if his code had read: > > > > error_log(__FUNCTION__ . "($username): called.", 3, $log_file); > > > > I wouldn't have made any comment at all. > > > > If the backticked code were not in double quotes it would be executed and > > the resulting output of the backticked code would be recorded to the log. > > > > Brian, > > This is not true. I tested what was discussed in this thread and here > are the results. > > (1) > If an attacker submits the following as the $username: `touch /tmp/fooooo` > This will be outputted to the logfile: check_username(`touch > /tmp/fooooo`): called. > The attacker's input is not executed. It is treated as a string. > > (2) > If an attacker submits the following as the $username: <?php `touch > /tmp/fooooo` ?> > This will be outputted to the logfile: check_username(<?php `touch > /tmp/fooooo` ?>): called. > The attacker's input is not executed. It is treated as a string. > > Only if I process the logfile with php -f <logfile> will the code in > (2) actually execute. > The code in (1) won't even run since it's outside the <?php ?> tags, > but that's a minor point. > > Paul raises a good question about log processing software that might > interpret and run the code....it seems that's where the real problem > lies. > > Konstantin Rozinov Ok, after bad examples, and all the hulabaloo, and being proven wrong about said bad examples... what I say still stands: Always check the data the user sent you - just check it in such a way that is appropriate for your situation. If you don't believe in that then stop checking the data any user enters on any of your forms, and don't worry about XSS or SQL injections because that's basically what Michael is saying, only escape user data before inserting into the database. I guess that would make form processing easier. Insanity.
_______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
