IF no value then Die problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

volka wrote:I don't see it. It's both user input. I have to test and check it both the same way. What harm can it do to my application's or server's security?
It may be that I don't want the user to be able to replace post data by get data. But that's no matter of security.
$_REQUEST can open a lot of programmers up to XSS.

URL:

page.php?name="><script>alert('>:D');</script><"

PHP:

Code: Select all

// page.php
<form>
    <input type="text" name="name" "<?php echo isset($_REQUEST['name']) ? $_REQUEST['name'] : '';?>" />
</form>

One of the reasons to always use htmlspecialchars(), but you see a lot of programmers that don't.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

But this has nothing to do with _REQUEST. You have the exact same problem if you use _GET or _POST.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

See my last post on page 1.
Last edited by Benjamin on Fri Aug 10, 2007 2:58 pm, edited 1 time in total.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

volka wrote:But this has nothing to do with _REQUEST. You have the exact same problem if you use _GET or _POST.
You can't simulate a POST with XSS using the URL.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

But with _GET. And if you print POSTed data without treatment you can have XSS problems as well.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

volka wrote:But with _GET. And if you print POSTed data without treatment you can have XSS problems as well.
So basically, $_REQUEST isn't a security risk if you are already taking the necessary security measures...?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

What can't you do to _REQUEST data that you can do to _POST or _GET?
Let me put it this way: I've seen this discussion several times now and I'm still waiting for an example of real security risk that is immanent to _REQUEST.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

astions wrote:See my last post on page 1.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

@astions: and in what way is this a problem specific to _REQUEST?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Because if you use $_REQUEST instead of $_POST you have lost the ability to verify that it is not a $_GET request.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

And what good does it do my script's security to know that it is a post request?
I could e.g. put a form/post on my malicious website instead of a link.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Right, but the user would have to click submit to process the request, rather than it happening without them knowing it.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Doesn't the user have to click the link as well?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Not with an image tag requesting the remote page. It happens totally without the users knowledge. If your logged into site foo, and you visit malicious site bar, this second site can perform actions on your behalf on site foo through the user of image tag get requests.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

The wonderful world of javascript and ajax makes this possible for post data as well.
Or even simpler, the easiest way to spread trojans

Code: Select all

What pictures of Shirley Schmidt did Alan Shore actually buy?
See for yourself on 
<form method="post" action="http://www.the.Other/Site.php" style="display:inline;">
  <input type="hidden" name="action" value="delete" />
  <input type="hidden" name="filter" value="*" />
  <input style="display:inline; text-decoration:underline; color:blue; background:none; border:none; cursor:pointer;"
    type="submit" value="The official Boston Legal page">
</form>
Post Reply