Page 2 of 2

Posted: Sat Nov 29, 2003 10:57 am
by Weirdan
Gen-ik wrote:
Weirdan wrote:HTTP_REFERER could be spoofed like a breeze, so it doesn't give any bit of protection.

GENERAL RULE: Never trust anything which comes from your customers (or their browsers).
How? If someone sends information from a mock-up page on their site how will they change the HTTP_REFERER so that it looks like the info has been sent from a page on my website?
[php_man]curl_setopt[/php_man]
There is option named CURLOPT_REFERER. And it's just an example.

Posted: Sat Nov 29, 2003 12:06 pm
by mchaggis
using perl and libwww, I can mock up a skip in about 5mins to submit data to url, making it look like it was posted from where ever I want using POST, GET and ever over SSL if I wish.

GET_VARS are no less secure than POST_VARS... The trick is to know your data...

5 rules of secure coding:

1) Never trust your users
2) Never think that only your users will use it
3) Never trust data passed to your script
4) Never trust data passed to your script even if it is encrypted
5) Paranoia is your friend

One of the good things about PHP+MySQL, is that you cannot execute more than one SQL statement in one mysql_query call, so the usual method of breaking stuff ending your input with ';new_sql_statement' is broken by default.

Thesolutions all lie within what you intend to do with the data...

ie:
If you are manipulating files, make sur the var that stores the filename doesn't contain things like ../ etc

If you are inserting into a database (say MSSQL (yuck)) scan for ;'s and such like in your data

If you have a field that is number do a $var = intval($var);

If you are doing a lookup for a password, say in a "Forgotten Password" function, instead of:

Code: Select all

SELECT password FROM users WHERE email LIKE '$email'
Note: reason for the LIKE is to do a case insensitive
Do:

Code: Select all

SELECT email, password FROM users WHERE email LIKE '$email'
The check the email returned matches the email passed.
Mind i'd convert the email var to lowercase when inserting and thus do the same when retrieving thus removing need for a LIKE

I could go on, but am afraid I have wittered far to long....

At the end of the day, if you are ever worried about the security of your code, give the source and url to another coder and say "Bet you can't break it!" ;)