Hi everybody!
Two things I consider urban myths about PHP (plus MySQL) - please let me
know what you think of these:
1. The evil global variables
Ok, the classic
<?
if ($pwd=="GOODPASSWORD")
{
$lethimin=1;
}
[bullshit code]
if ($lethimin)
{
echo(fread(fopen("/etc/passwd","r")));
}
?>
is obviously valid. But let's be serious, who codes this? The example
code is valid and it's easily crackable indeed, but you don't do that
kind of thing - you do it in one step. Even if you really need the
bullshit code in there for some obscure reason, this is the log in code
damnit, anybody takes care of that!
Why I raised this issue is because I think people tend to get paranoid
about PHP. And that happens in both worlds - customers and developers.
Nothing to say about customers, I'd be careful too if I heard some dude
got intoxicated at a McDonald's in Bogota. My problem is with developers
- they got it in their head that variables are your enemy and initialize
everything nowadays - including local variables!
My question to you guys is this: does anybody know of a real example of
reasonably careful coding led to disaster with global variables?
2. Please enter your age: 25; drop database mysql
Does this actually work?
I've read at least a dozen articles telling people to get it in their
blood not to trust users and addslashes to any king incoming data, as
well as pass it as strings to mysql ("insert into person set age='$age'"
instead of "insert into person set age =$age).
So I decided I had to test this: I wrote the code exactly as in the
example; I provided the exact dangerous input (well, to be honest, I
tried a select instead of drop mysql). When I tried it, the presumably
dangerous situation degraded into a trivial MySQL error. It went
something like "You have an error near '; select 1+1'".
Did you ever actually try this? Does it work on your system?
Thanks in advance for the input!
Bogdan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
