Re: Anyone have some basic security tips for PHP-programmers?

[Härnhammar, Ulf <Ulf.Harnhammar.9485 () student uu se>]

Also sprach Tommy Gildseth <tommy () akili no>:

> Yes, but none of your examples overlap with the piece of code I was 
> commenting on. Ie, the original code doesn't solve any of the problems 
> you have described here.

OK, I suppose I was making a general comment about magic quotes instead of 
commenting on A. Binder's code.

> As far as I have experienced, it's not a problem to ignore wether magic 
> quotes is on or not. Just act os if they are not.

Well, it's not a security problem, but as Tim Oliver just pointed out, it's 
irritating with applications that add lots of extra slashes here and there. You 
type in "Tommy Gildseth's mailinglist post" and they display it as "Tommy 
Gildseth\'s mailinglist post". It's ugly.

This is what I do in PHP:

if (get_magic_quotes_gpc())
{
  $name = stripslashes($name);
  $phone = stripslashes($phone);
}

I e, if magic quotes are on, you strip one layer of slashes from all user data. 
If magic quotes are off, you don't strip any slashes, because they are typed in 
by the user, and should be left alone. You then have all data in their original 
form, which of course has to be processed before the data is included in web 
pages, SQL statements, e-mail messages and so on.

(Lots of scandinavians on this list for some reason..)

-- 
Ulf Härnhammar, student, Uppsala universitet

"Jag är en tvivelaktig figur / Duger ej mycket till"
-- Cornelis Vreeswijk, "Somliga går med trasiga skor"

Uggs != Cmectbb