[snip]
Lets say you have a statement like:
$query = SELECT * FROM mytable WHERE firstname=$firstname;
And if $firstname is set to:
xyz; DELETE FROM mytable
Then this is executed as: SELECT* FROM mytable WHERE firstname=xyz;DELETE
FROM mytable
This can wipe out your table...a bad thing...
Well, one way you can avoid similar things to happen is, you can do
something like, say, create a user that can only SELECT. If the user can
only SELECT then it cannot DELETE.
This is a great suggestion from Rick. I already use this method. I have
several MySQL users set up for various
Rick Emery wrote:
You can still use extract($_POST).
It is as safe/vulernable as $_POST['isAdmin'].
In either case, use only variables that you know are yours and be certain
these contain values which you believe to be safe. For instance, if you expect
a variable called $firstname to
You can still use extract($_POST).
It is as safe/vulernable as $_POST['isAdmin'].
In either case, use only variables that you know are yours and be
certain
these contain values which you believe to be safe. For instance, if
you
expect
a variable called $firstname to contain a name to
John W. Holmes wrote:
Then make sure $name has all single quotes escaped within it. If all of
them are escaped, then it's just a string and can't do any harm. If they
aren't escaped, then the user can break out of your own SQL and put
their own.
I'm confused about when I should escape
I'm confused about when I should escape single or double quotes.
Should
all
quotes be stored as \ or \' in a database as well?
Escape both, just use addslashes. The key here is that if you are
inserting a variable into a string (which is all a query is), then you
want to make sure that the
John W. Holmes wrote:
Then make sure $id is a number. You can use is_int, or (int), or whatever.
It appears that any numeric values passed via the URL (..?param=10001) are
automatically treated as strings. If I pass ?param=1001 to the following
script...
$type = '';
if
Then make sure $id is a number. You can use is_int, or (int), or
whatever.
It appears that any numeric values passed via the URL (..?param=10001)
are
automatically treated as strings. If I pass ?param=1001 to the
following
script...
So turn it into an integer.
$param =
John W. Holmes wrote:
Bottom line is that you want to use addslashes() or magic_quotes_gpc()
on any variable you're going to insert into a query string. If you're
inserting a variable that should be a number, make sure it is one.
If I have magic quotes turned on, do I still need to worry
Bottom line is that you want to use addslashes() or
magic_quotes_gpc()
on any variable you're going to insert into a query string. If
you're
inserting a variable that should be a number, make sure it is one.
If I have magic quotes turned on, do I still need to worry about using
Or,
You can use this:
http://www.php.net/manual/en/function.is-numeric.php
- E
John W. Holmes [EMAIL PROTECTED] wrote:
Then make sure $id is a number. You can use is_int, or (int), or
whatever.
It appears that any numeric values passed via the URL (..?param=10001)
are
as a variable and submit it to your PHP script.
Therefore, additional precautions and authentication are warranted.
- Original Message -
From: Monty [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, October 25, 2002 12:37 AM
Subject: Re: [PHP] extract($_POST)
I'm devastated
The more secure method ensures it MUST come from a form. Be
advised: the user can create his own form with $admin as a variable
and submit it to your PHP script. Therefore, additional precautions
and authentication are warranted.
And what should these precautions be? If a malicious user
: Chris Boget [EMAIL PROTECTED]
To: Rick Emery [EMAIL PROTECTED]
Cc: PHP General [EMAIL PROTECTED]
Sent: Friday, October 25, 2002 8:53 AM
Subject: Re: [PHP] extract($_POST)
The more secure method ensures it MUST come from a form. Be
advised: the user can create his own form with $admin
And what should these precautions be? If a malicious user can submit
his own form and you are looking for a POST variable, how can you
ensure that $admin came from your form and not that user's?
The problem is when a cracker uses form variables in an attempt to set the
values of flag
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Friday 25 October 2002 11:23 am, Johnson, Kirk wrote:
And what should these precautions be? If a malicious user can submit
his own form and you are looking for a POST variable, how can you
ensure that $admin came from your form and not that
And if you want to take it a step further, to ensure that the values are
submitted from YOUR form, check the $_SERVER['HTTP_REFERER'] to see if
it's coming from your domain | page.
Paul Nicholson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Friday 25 October 2002 11:23 am, Johnson,
: Re: [PHP] extract($_POST)
And if you want to take it a step further, to ensure that the values are
submitted from YOUR form, check the $_SERVER['HTTP_REFERER'] to see if
it's coming from your domain | page.
Paul Nicholson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Friday
I thought of this was well and into the PHP documentation about this
option. Here's a side note that the documentation includes:
Not all user agents will set this, and some provide the ability to modify
HTTP_REFERER as a feature. In short, it cannot really be trusted.
Even thought it's not a
: [PHP] extract($_POST)
And if you want to take it a step further, to ensure that the values are
submitted from YOUR form, check the $_SERVER['HTTP_REFERER'] to see if
it's coming from your domain | page.
Paul Nicholson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Friday 25
Oct 2002 13:06:10 -0400
To: Johnson, Kirk [EMAIL PROTECTED], PHP General
[EMAIL PROTECTED]
Subject: Re: [PHP] extract($_POST)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Friday 25 October 2002 11:23 am, Johnson, Kirk wrote:
And what should these precautions be? If a malicious user
can be cracked. There are no certain protections.
- Original Message -
From: Monty [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, October 25, 2002 3:13 PM
Subject: Re: [PHP] extract($_POST)
Okay, I really want to understand how to make $_GET and $_POST more secure
because
Hello,
Monty [EMAIL PROTECTED] wrote:
Okay, I really want to understand how to make $_GET and $_POST more secure
because it means changing a fundamental way my scripts are now working.
So, it sounds like what I need to do in order to make form data more
secure
is something like this...
This thread has been great! I've learned so much useful stuff.
For instance, if you expect a variable called $firstname to contain
a name to be stored in a SQL database, be certain it does not contain
SQL commands which can damage your database.
This is another thing I'd be interested in
...
- Original Message -
From: Chris Boget [EMAIL PROTECTED]
To: Rick Emery [EMAIL PROTECTED]; [EMAIL PROTECTED]; Monty
[EMAIL PROTECTED]
Sent: Friday, October 25, 2002 3:41 PM
Subject: Re: [PHP] extract($_POST)
This thread has been great! I've learned so much useful stuff.
For instance, if you
Hello,
Rick Emery [EMAIL PROTECTED] wrote:
Lets say you have a statement like:
$query = SELECT * FROM mytable WHERE firstname=$firstname;
And if $firstname is set to:
xyz; DELETE FROM mytable
Then this is executed as: SELECT* FROM mytable WHERE
firstname=xyz;DELETE FROM mytable
This
Boget; [EMAIL PROTECTED]; Monty
Subject: Re: [PHP] extract($_POST)
Lets say you have a statement like:
$query = SELECT * FROM mytable WHERE firstname=$firstname;
And if $firstname is set to:
xyz; DELETE FROM mytable
Then this is executed as: SELECT* FROM mytable WHERE
firstname=xyz
This thread has been great! I've learned so much useful stuff.
For instance, if you expect a variable called $firstname to contain
a name to be stored in a SQL database, be certain it does not
contain
SQL commands which can damage your database.
This is another thing I'd be interested
[snip]
There are many places (websites) wherein you can choose the country
from a
pulldown menu. This prevents somebody (somehow) from posting something
illegal. Besides, if the values assigned are numbers (e.g. option
value=100My Country/option) then you can check whether the value
You can still create a sub-query to do the damage.
Jason
-Original Message-
From: John W. Holmes [mailto:holmes072000;charter.net]
Sent: Friday, October 25, 2002 4:01 PM
To: 'Rick Emery'; 'Chris Boget'; [EMAIL PROTECTED]; 'Monty'
Subject: RE: [PHP] extract($_POST)
No, this can't happen
You assume mysql.
Other SQL databases allow multiple statements.
-Original Message-
From: Rick Emery [mailto:remery;emeryloftus.com]
Sent: Friday, October 25, 2002 4:59 PM
To: Chris Boget; [EMAIL PROTECTED]; Monty
Subject: Re: [PHP] extract($_POST)
Lets say you have a statement
True. That's why I said:
then you can check whether the value
is_numeric() or something.
I think this narrows down what you're checking. So, if you send me any
value my script would just reject it. Besides, this is just a hint--there
are many ways to validate. Of course, you know that... :)
: Re: [PHP] extract($_POST)
You assume mysql.
Other SQL databases allow multiple statements.
-Original Message-
From: Rick Emery [mailto:remery;emeryloftus.com]
Sent: Friday, October 25, 2002 4:59 PM
To: Chris Boget; [EMAIL PROTECTED]; Monty
Subject: Re: [PHP] extract($_POST
18:41:04 +0100
To: '1LT John W. Holmes' [EMAIL PROTECTED], Rick Emery
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: RE: [PHP] extract($_POST)
-Original Message-
From: 1LT John W. Holmes [mailto:holmes072000;charter.net]
Sent: 23 October 2002 19:51
Say you have something like
34 matches
Mail list logo
