using perl and libwww, I can mock up a skip in about 5mins to submit data to url, making it look like it was posted from where ever I want using POST, GET and ever over SSL if I wish.
GET_VARS are no less secure than POST_VARS... The trick is to know your data...
5 rules of secure coding:
1) Never trust your users
2) Never think that only your users will use it
3) Never trust data passed to your script
4) Never trust data passed to your script even if it is encrypted
5) Paranoia is your friend
One of the good things about PHP+MySQL, is that you cannot execute more than one SQL statement in one mysql_query call, so the usual method of breaking stuff ending your input with ';new_sql_statement' is broken by default.
Thesolutions all lie within what you intend to do with the data...
ie:
If you are manipulating files, make sur the var that stores the filename doesn't contain things like ../ etc
If you are inserting into a database (say MSSQL (yuck)) scan for ;'s and such like in your data
If you have a field that is number do a $var = intval($var);
If you are doing a lookup for a password, say in a "Forgotten Password" function, instead of:
Code: Select all
SELECT password FROM users WHERE email LIKE '$email'
Note: reason for the LIKE is to do a case insensitive
Do:
Code: Select all
SELECT email, password FROM users WHERE email LIKE '$email'
The check the email returned matches the email passed.
Mind i'd convert the email var to lowercase when inserting and thus do the same when retrieving thus removing need for a LIKE
I could go on, but am afraid I have wittered far to long....
At the end of the day, if you are ever worried about the security of your code, give the source and url to another coder and say "Bet you can't break it!"
