Secure Coding mailing list archives
Re: Scripting Languages and Secure Coding + code
From: Andrew Rucker Jones <arjones () simultan dyndns org>
Date: Thu, 04 Dec 2003 19:29:19 +0000
[Ed. Yes, PGP-signed submissions are just fine--encouraged even.
It's just the HTML and MIME that there are problems with. This
one _should_ work.... ;-) KRvW]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I know this is not what You asked, but i'm no secure coding guru. It
just occurred to me that this code:
| $username=stripslashes(trim($_POST['username']));
| $password=stripslashes(trim($_POST['password']));
would disallow a user from having slashes (and possibly other characters
- -- i don't know PHP and the stripslashes() command) in their passwords
(and usernames, but i think they can live with that). I know this always
annoys me when Web sites do this. Is any santitation of the password
field necessary (except possibly trim())? Going on the assumption that
PHP does not use \0 to indicate the end of a string (as i said, i don't
know PHP), the only thing You do with the password field directly is
check that it is not empty, then put it through MD5. I think MD5 is
sanitation enough. What do others say? (This would also give You a
really tiny speed improvement. :) ).
At the very least, the user would have to be informed of this with
proper error checking upon account creation or password change.
(Although one could argue that if You use the same process upon account
creation, it would work, and the user would be none the wiser. But then
You could theoretically run into problems with duplicate usernames if
one person took johndoe and another took john/doe. It would be confusing
to the user, i think. Okay, i'm running off into the wilderness now.)
-&
- --
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/z1PWoI7tqy5bNGMRAnSOAJ0c+UacYpOi4ePPxyLMTUVeMWUXWACg4Wyf
5vkn9GXNZTQjmfzJ4LTRYHc=
=7w7a
-----END PGP SIGNATURE-----
Current thread:
- Re: Scripting Languages and Secure Coding M. Buchzik (Dec 03)
- Re: Scripting Languages and Secure Coding Timo Sirainen (Dec 03)
- Re: Scripting Languages and Secure Coding Martin Stricker (Dec 03)
- Re: Scripting Languages and Secure Coding + code Ghita Serban (Dec 04)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 04)
- Re: Scripting Languages and Secure Coding + code Andrew Rucker Jones (Dec 04)
- Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 09)
- Re: Scripting Languages and Secure Coding + code Carsten Kuckuk (Dec 09)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- Re: Scripting Languages and Secure Coding + code securecodingorg (Dec 04)
- Re: Scripting Languages and Secure Coding + code Jeremy Thibeaux (Dec 04)