Script security question

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
crashy_crashy
Forum Newbie
Posts: 2
Joined: Mon Feb 12, 2007 2:12 am

Script security question

Post by crashy_crashy »

<sinatra>This is my first post here. Please be kind.</sinatra>

Don't have code yet - still working on conept.

I'm designing a site for a low vision specialist. I'm hoping to call the site template through a server-side include. Pretty simple.

I'm also thinking of creating a set of clickable controls that allow the user to customize the appearance of the site, and have that information stored in a cookie on the user's machine. The user basically creates his/her own custom stylesheet for that particular site.

When the page loads, the script looks for the cookie. If it's found, the script displays the page according to the style information specified - otherwise, it just displays the page as originally designed.

The problem is that this sort of script seems to beg to be exploited. You don't even have to know much about hacking PhP to create a pretty nasty little surprise for anyone visiting that site. The session cookie itself would give away exactly how the script worked. I haven't even written the script yet, and I already see a lot of problems with it.

Any thoughts on creating this script in a secure fashion? I'd love to avoid horrifying the elderly and legally blind if possible.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

If you check that each value from the cookie is an acceptable values then you should not have problems. Just make sure that each value is the expected type, and within an expected range or set of values.
(#10850)
crashy_crashy
Forum Newbie
Posts: 2
Joined: Mon Feb 12, 2007 2:12 am

Post by crashy_crashy »

Heh - thanks. For some reason, at 3:30 in the morning, this seemed like a big problem. :lol:
Post Reply