Secure Logins

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Pity can be easily faked...

Better to check you filter all incoming data to ensure your script only accepts data it expects to be sent (and delete anything else BEFORE you run the rest of your script). Then it doesn't really matter where it comes from...
pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

Post by pilau »

How can my script PROCESS data that it didn't expect to recieve?
I mean, you don't usually contain something like this:

Code: Select all

if (__contains_data_that_was_not_expected__ == "true") {
process_data_that_was_not_expected();
}
:P
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

You have code. It expects to use $_POST['username'] (we'll pretend nothing else).

Therefore you can logically assume any data that is not:

1) in POST
2) not a "username" key
3) not the data type of "username" (for simplicity say its supposed to be aplhanumeric)
4) not the maxlenght of "username"

is invalid. So delete it. Point is to avoid any other data being used to exploit any weaknesses in design, etc.
pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

Post by pilau »

Hmm, good point.
I'll consider that too.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

If you want I can PM you what I use - not posting it as a snippet since I'm still touching it up. It leans heavily on a recent set of articles which made a huge amount of sense and did pretty much what I intended in a simpler fashion.
pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

Post by pilau »

Sure, it would mean a lot and help a lot. Thanks.
Post Reply