WebApp Sec mailing list archives
RE: Anyone have some basic security tips for PHP-programmers?
From: <arek () chelmnet pl>
Date: Thu, 20 Nov 2003 01:50:57 +0100
Your first code block: 1. Request Variables, containing variables will be evaluated. (e.g. $config[mysql_pass]
OK, so we should to escape or drop $,,,[,],etc...
2. The keys will not be escaped
(file.php?a%3D1%3B+print+file_get_contents%28%22%2Fetc%2Fshadow%22 %29%3B+%2F %2F=hacked)
Hmm,
3. Your setting globals, easy to overwrite things (file.php?_SERVER[REMOTE_ADDR]=127.0.0.1)
I tried that -this is not vunlereable ...
Your second code block: 1. file.php?FUNCTION_INIT=file_get_contentsl&ARG1=/etc/shadow&ARG1_VAL=0
Yea, thanks, i forgot about php specific functions that can be NITIATED... - must validiate that step. that's really big BUG...
A few things. 1. ; is not used in mysql_query 2. eval is slow
how then you evaluate your result in case when you need to use fragment of other variable as your variable ?
3. Globals are bad
what you use instead ??? cookies ? i put in globals after every login the user preferences , not to check it every time he goes on site,,, and ofcourse the cookie size is too big. in global array i have specific columns permition of R/W/X, related on every type of menu function in R/W/X too, and / or his web page preferences (which column to hide, which to show) how other way to do that ? i think that globals are fast, and faster than SQL... ? so do you prefer to what? creating dynamic of splitted temporary files for every logon with needed and authirized variables , with correct ammount for every type of needed request in them? A.Binder
Current thread:
- Anyone have some basic security tips for PHP-programmers? Matthews, Chris (Nov 14)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 20)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- <Possible follow-ups>
- Re: Anyone have some basic security tips for PHP-programmers? DownBload (Nov 18)
- RE: Anyone have some basic security tips for PHP-programmers? Keifer, Trey (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? tim (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)