Page 1 of 1

I want to use something safer than URL encoded variables.

Posted: Thu Aug 21, 2003 7:57 pm
by ro
I have been thinking about this for quite a while... I believe that URL
encoded passing of variables leaves too many open avenues from
would-be attackers. Is there someone out there that could shed some
light on possible ways of I can accomplish the safe passing of variables
between form submissions. I have tried using Hidden fields, but it
becomes too much of a hassle. I was thinking of getting all the variables
I am to pass and placing them in an array and then passing the array
URL encoded or a class perhaps... I dunno.... which is why I am asking
for anyone's help... thanks in advance :)

Regards,

Posted: Thu Aug 21, 2003 8:12 pm
by trollll
I've found that URL encoding works well enough, just plan on and account for cases of bad information. I generally have test cases to see if the passed info matches expected info and (depending on the type of info passed) either force it into a certain format (html entities, date formatting, etc.) or reject anything that will disrupt the system and let the user know why.

And if a bad value for something would only come from an attack, kill the process and output a message saying something like,"Please don't do that you mean person." or something better suiting your attitude towards attackers.

Posted: Thu Aug 21, 2003 11:26 pm
by nielsene
I prefer SESSIONS & POST to GET for variable passing. Sessions to minimize the amount of data that is exposed to the user in the first place and POST to eliminte trivial hack attempts.

As trollll says you still need to plan and deal with all the possibilities of bad input as people can still spoof a POST'd form.

I loathe name-mangling which is another reason I avoid GET at all costs.

Posted: Thu Aug 21, 2003 11:40 pm
by ro
I appreciate the input... I'll think of something and holler back..

thanks again :)

Posted: Sat Aug 23, 2003 8:41 am
by PixelMaster
Maybe an easier method than trying to think of all the possibilities for bad data that you could get (which is pretty much impossible, anyway), would be to make a short list of good data: ie. 'only things with alphabetic characters that are no longer than 10 characters is ok', or 'any combinations of up to 2 digits'. Everything else generates an error message.

If you have the ctype functions installed, they are very useful for this kind of stuff - not to mention faster and easier to use than the regexp functions.

Posted: Sat Aug 23, 2003 10:49 am
by ro
I agree that ctype functions may be easier and faster... and I will
probably end up using them. However, these functions (or most of them)
check to see if the criteria is met by ALL the characters in the
string... which makes it a little infelxible. I will combine the use of ctype
along with Regular expressions, html_entities, strip_html, etc... to make
it a little more flexible and robust. I don't want to sound ungrateful, I
really appreciate the input... I believe it has sparked ideas and research
in my head... thanks again!

Regards,

Posted: Sat Aug 23, 2003 11:58 am
by patrikG
It is actually possible to POST without submitting. I've come across a clever function by Rasmus Lerdorf doing just that

Code: Select all

/* Author ----- Rasmus Lerdorf <rasmus@lerdorf.on.ca> */ 
function PostToHost($host, $path, $data_to_send) { 
$fp = fsockopen($host,80);
fputs($fp, "POST $path HTTP/1.0\n");
fputs($fp, "Host: $host\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
fputs($fp, "Content-length: ".strlen($data_to_send)."\n");
fputs($fp, "Connection: close\n\n");
fputs($fp, $data_to_send);
while(!feof($fp)) { echo fgets($fp, 128);
} fclose($fp);
}
Function call would be

Code: Select all

PostToHost("www.clipx.net","/cgi-bin/nohdr.exe",urlencode("cEmail=me@here.com&cMsg=The outlook wasn't brillant for the Mudville nine that day, the score stood two to four with but an inning left to play..."));
exit();
Neat-o-mat.

Posted: Sat Aug 23, 2003 12:36 pm
by ro
My question to patrikG is: how would you setup the form to use this(postToHost())...
it might be obvious but I'm drawing a complete blank.

Cheers,

Posted: Sat Aug 23, 2003 5:19 pm
by qartis
If you want more (pseudo)security, you may want to put your variables into an array and then serialize them. Most people haven't a clue what to do with a serialized string, and as such haven't a clue how to spoof it.

Posted: Sun Aug 24, 2003 3:23 am
by patrikG
ro wrote:My question to patrikG is: how would you setup the form to use this(postToHost())...
it might be obvious but I'm drawing a complete blank.
The function sends data to another webserver via port 80. Naturally, you will still need to populate the variables with the values you intend to send. My initial text "POST without submitting" is somewhat misleading - with the script you can directly access a remote script (on another webserver) and, e.g. submit to it, which can be quite handy for example if you want to query a search-engine remotely etc.

Posted: Mon Aug 25, 2003 11:08 pm
by hedge
patrikG wrote:
ro wrote:My question to patrikG is: how would you setup the form to use this(postToHost())...
it might be obvious but I'm drawing a complete blank.
The function sends data to another webserver via port 80. Naturally, you will still need to populate the variables with the values you intend to send. My initial text "POST without submitting" is somewhat misleading - with the script you can directly access a remote script (on another webserver) and, e.g. submit to it, which can be quite handy for example if you want to query a search-engine remotely etc.
I have also found this technique to be useful. I am connecting to an internal webserver that runs ASP, logging in and then pulling the content so that the content is available on the public webserver.

Posted: Tue Aug 26, 2003 11:01 am
by ro
This is the code I'm messing with... I think I'm content with sending the Actions in the
manner shown below. However, I am still using $GLOBALS to get the Submitted <input>
text variables... how could I merge this method along with th postToHost() method and
then be able to DISABLE Globals in PHP?

Code: Select all

function addusr_form($page)&#123;
$arr&#1111;'Action'] = 'Add New User';
$ser = serialize($arr);
$ser = urlencode($ser);

 $page .= "?ser1=$ser";
?>
<form method="POST" Action=<?=$page?>>
  <table>
    <tr>
      <td>
        <div>Full Name:</div>
      </td>
      <td>
        <input type="text" name="name">
      </td>
    </tr>

    <tr>
      <td>
        <div>Email:</div>
      </td>
      <td>
        <input type="text" name="email">
      </td>
    </tr>

    <tr>
      <td colspan=2>
        <input type="submit" value="Add New User" name="ion">
        <input type="reset" value="Reset" name="B2">
      </td>
    </tr>
  </table>
  </form>
<?
&#125;

Posted: Tue Aug 26, 2003 12:25 pm
by NoReason
Ive been using super globals to get away from setting globls enabled in the ini file... As well i use a combination of classes and post.

I have designed my methodology around submitting to intermediate pages wich are then header(location); redirected to the page that they were just on... its fast, efficient, and so far has been very secure....
I have however, not have any malformed string checks in place yet... working on that...