Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I have been learning PHP security a lot last two weeks. I have one question about CSRF.
Example: You have a form that submits data and then displays the data on the site just like forums or guestbooks. What if someone types the following in the message box?
Afaik it's not possible to read out the user's cookies this way, but it's still a securitiy issue. For example the user's ip adresses can be read out.
You should filter out all html-Tags or if Html must me allowed, you should prove if the url is really an image or if it's just a php-File with the ".png"-extension or so.
Do you have any idea on how to 'prove' if a .png is an image? Loading it and checking for correct data sounds like very slow especially if the image hoster is slow...
I asked this for my script. I need to have option that people may post pictures both linking or hotlinking.
What do you think that how does this phpBB deal with it? The one we are using now. I can add img tag from the above button easily and use it to make your browser load some php...
phpBB's image tag doesn't allow php files to be loaded typically. What is possible is loaded a url that appears to be an image to it that is just a script masquerading as an image.
Ambush Commander wrote:If you allow external resources, you surrender all control over what the images are. Hope you're regularly checking up the comments.
However, from what your implementation's behavior looks like, you may have bigger problems than CSRF. How are you protecting against XSS?
Against XSS? Well. I check that user submitted data has always allowed characters, allowed length and allowed type. For example ?id=x I would only accept integers and only between 0-... and no decimals.
Also I use much regexes to validate. I strip tagging, htmlspecialcharring, utfdecoding. Is there something more I need to be worry about? And ah, I make always sure that the posted info is from MY form, not from visitors own form (tokens).
Yes, for simpler datatypes that's usually no problem. But the HTML you posted in the parent post suggests that you also (will) accept HTML, or at least a subset of it. That stuff is very difficult to get right.
Ambush Commander wrote:Yes, for simpler datatypes that's usually no problem. But the HTML you posted in the parent post suggests that you also (will) accept HTML, or at least a subset of it. That stuff is very difficult to get right.
Yes I understand what you mean.
I asked for CSRF, not XSS. So therefore the example in my first post in this topic was quickly written example of HTML. I will NOT accept HTML directly. I accept BBCode that will be changed to HTML with regexes so it will be much safer that way.
So. My question was about CSRF. When I have changed BBCode to HTML with regexes, I want to be sure it's not insecure HTML code that makes calls to external PHP's that could grab cookies or something.