Re: [PHP] security/sql issues with php

_ matter however is the actual data we got. > > -bruce > > > > -Original Message- > From: Chris Shiflett [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 21, 2005 5:27 PM > To: [EMAIL PROTECTED] > Cc: 'Robert Cummings'; 'Mikey'; 'PHP Mai

Re: [PHP] security/sql issues with php

bruce wrote: since i assume the '%x' chars traslate into something other than straight text, i assume that the html function you mention strips out these chars, or it returns a true/false if the data is valid. is this in essence what you're talking about? The %XX characters are URL encoded. The

Re: [PHP] security/sql issues with php

bruce wrote: however, i still don't have a good answer to my question regarding how easy (or hard) it is to detect if a query that should have originated with your app's form is coming from a 3rd party/external site? am i missing something here? Possibly. I think you're missing the fact that e

RE: [PHP] security/sql issues with php

bruce on Wednesday, September 21, 2005 6:03 PM said: > since i > assume the '%x' chars traslate into something other than straight > text, i assume that the html function you mention strips out these > chars, or it returns a true/false if the data is valid. Those ch

RE: [PHP] security/sql issues with php

or it returns a true/false if the data is valid. is this in essence what you're talking about? -bruce -Original Message- From: Jasper Bryant-Greene [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 5:09 PM To: 'PHP Mailing Lists' Subject: Re: [PHP] securi

RE: [PHP] security/sql issues with php

PROTECTED] Cc: 'Robert Cummings'; 'Mikey'; 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php bruce wrote: > but in all honesty, if you're going to write an app, and you're going > to do something with the data, it makes sense t

Re: [PHP] security/sql issues with php

On Wed, 2005-09-21 at 20:18, Chris Shiflett wrote: > Robert Cummings wrote: > > Not if it's a float. > > True. :-) > > The point remains - checking data type is often misleading. Yep, I wasn't trying to remove the point, just don't want noobs getting mixed up on type juggling :) Cheers, Rob. --

Re: [PHP] security/sql issues with php

bruce wrote: > but in all honesty, if you're going to write an app, and you're going > to do something with the data, it makes sense to me that you > 'know'/ensure that you're dealing with the correct kind of data. as i > see it, this allows you another way (low entropy) to determine that > the in

Re: [PHP] security/sql issues with php

Robert Cummings wrote: Not if it's a float. True. :-) The point remains - checking data type is often misleading. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.p

RE: [PHP] security/sql issues with php

bruce on Wednesday, September 21, 2005 5:10 PM said: > but in all honesty thanks for being honest. > , if you're going to write an app, and you're going > to do something with the data, it makes sense to me that you > 'know'/ensure that you're dealing with the corr

Re: [PHP] security/sql issues with php

Jasper Bryant-Greene wrote: Anyone else could link to your page with that URL and have the script executed on your page. You can't stop this, so you have to escape and validate the data coming in. Sorry to reply to my own message, but to clarify, I meant you can't stop others linking to your

Re: [PHP] security/sql issues with php

bruce wrote: thanks for the replies... i think i understand what you're stating.. but i'm still confused as to why my app/server would allow a GET/POST piece of data that would/should be originating from a form on my site to come from a 3rd party/external site/app? i would have assumed that there

RE: [PHP] security/sql issues with php

ptember 21, 2005 5:00 PM To: [EMAIL PROTECTED] Cc: 'Chris Shiflett'; 'Mikey'; 'PHP Mailing Lists' Subject: RE: [PHP] security/sql issues with php On Wed, 2005-09-21 at 19:54, bruce wrote: > but now that you're talking about ints/strings/floats, aren't you no

RE: [PHP] security/sql issues with php

On Wed, 2005-09-21 at 19:54, bruce wrote: > but now that you're talking about ints/strings/floats, aren't you now > getting into data typing issues... which gets into the correct/appropriate > archistecture of your app, variable namespace issues, etc... Nope, just showing that adding 0 to data ret

RE: [PHP] security/sql issues with php

it on the code that they've created... thanks -burce -Original Message- From: Robert Cummings [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 4:44 PM To: Chris Shiflett Cc: Mikey; 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php On Wed,

RE: [PHP] security/sql issues with php

CTED] Sent: Wednesday, September 21, 2005 4:44 PM To: Chris Shiflett Cc: Mikey; 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php On Wed, 2005-09-21 at 19:21, Chris Shiflett wrote: > Mikey wrote: > > I have found that adding 0 and then running is_int() usual

Re: [PHP] security/sql issues with php

On Wed, 2005-09-21 at 19:21, Chris Shiflett wrote: > Mikey wrote: > > I have found that adding 0 and then running is_int() usually works. > > You mean always works. :-) Casting something to an integer and then > checking to see if it's an integer doesn't tell you anything useful: > > > $int =

RE: [PHP] security/sql issues with php

comments/thoughts -bruce -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 4:16 PM To: [EMAIL PROTECTED] Cc: 'Jasper Bryant-Greene'; 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php bruce

RE: [PHP] security/sql issues with php

---Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 4:07 PM To: [EMAIL PROTECTED] Cc: 'Jasper Bryant-Greene'; 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php bruce wrote: > i'm confused rega

Re: [PHP] security/sql issues with php

Mikey wrote: I have found that adding 0 and then running is_int() usually works. You mean always works. :-) Casting something to an integer and then checking to see if it's an integer doesn't tell you anything useful: You're always going to see "$int is an integer" on the screen, even when

Re: [PHP] security/sql issues with php

bruce wrote: i just read an article that described how someone could have a url of 'http://foo.com/' and have the URL in an in their website. the website could be cat.com. the article implied that if a user would select the img, the link to the foo.com would be initiated, thereby fooling the

Re: [PHP] security/sql issues with php

Checking data types can be very misleading. I've seen many examples (even recently in a book) that use is_int() to check to see whether something in $_GET or $_POST is an integer. Because everything in $_GET and $_POST is a string, this check always fails. Chris I have found that adding 0

Re: [PHP] security/sql issues with php

bruce wrote: i'm confused regarding XSS. Cross-Site Scripting appears to be due to somehow allowing a user to insert 'html'/data/etc into the URL that you as the app are expecting? is this correct? A XSS vulnerability exists whenever you output tainted data. For example, if a user can subm

Re: [PHP] security/sql issues with php

Jasper Bryant-Greene wrote: Before outputting anything user-sourced to the browser, htmlspecialchars() it, preferably with the ENT_QUOTES option. If you want to allow some HTML, only then parse the string to un-escape certain HTML tags. Jasper++ Check the types if it's a problem for you (usi

RE: [PHP] security/sql issues with php

thn send the user to a potentially malicious page... here again, wouldn't this issue be easy enough to deal with if one did data validation? -bruce -Original Message- From: Jasper Bryant-Greene [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 2:35 PM To: 'PHP Mai

RE: [PHP] security/sql issues with php

ith if one did data validation? -bruce -Original Message- From: Jasper Bryant-Greene [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 2:35 PM To: 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php bruce wrote: > two questions: > > 1) css s

Re: [PHP] security/sql issues with php

bruce wrote: two questions: 1) css scripting. how can it be prevented?? what are some of the methods that you guys use? Before outputting anything user-sourced to the browser, htmlspecialchars() it, preferably with the ENT_QUOTES option. If you want to allow some HTML, only then parse the st

Re: [PHP] security/sql issues with php

bruce wrote: i've been searching/researching the areas of security regarding url input, form input, as well as database input (mysql). while there are plenty of articles that touch on the topic, i'm looking for a given site/package/lib (open source) that is pretty much the standard that i could u

RE: [PHP] security/sql issues with php

.. i would hope that it wouldn't be hard for gurus/experts to agree on these kinds of issues... -bruce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 8:29 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] security/sql issues with ph