llimllib wrote:Actually, McGruff, a lot of people disagree on whether or not that is a big security risk. If the coder does proper checking of variables that they receive from the user (hint: treat them all as 'contaminated', intentionally put there to mess up your script), then it doesn't matter where they came from. And seriously, it's only trivially more difficult for me to hack up a script that will send you infected $_POST variables than it is for me to send you infected $_GET variables. Simply put, the convenience of extract() may be worthwhile, as long as you put proper thought into checking your variables for length and type.
A thorough understanding of security is perhaps the most important aspect of php to learn. I am not an expert programmer by any means - and I'd appreciate it if you could help me understand your comments.
The main problem I see with extract and foreach declarations for GET and POST (without prefixing) is that a forged form or query string tampering can overwrite any previously declared variable in the same scope as the extract / foreach code - provided a hacker knows or can guess its name. Are you saying that many people disagree with that?
The other issue was a recommendation on how to process vars. Were you suggesting that there are other places in the script where checks / processing would be carried out? I must have picked you up wrong.
If a submitted var is supposed to be an integer, I would maybe just intval($_POST['var']) but, in a foreach loop, it's simpler just to do a single htmlspecialchars(addslashes(trim())) for all - works on text or naughtily hacked "integers" that aren't actually integers at all.
(Some people like to htmlspecialchars on the way out but, since I'm almost always storing the var in a db for later display in a browser, it's maybe more efficient to do it once on input rather than many times at each page view).
I guess the last link in the chain is to put all col values in quotes in a mysql query string - "integers" as well just in case they're not integers at all.
Phice: is HTTP_REFERER reliable? I've always understood that it's not - could be wrong.