Page 1 of 1

Script security question

Posted: Mon Feb 12, 2007 2:28 am
by crashy_crashy
<sinatra>This is my first post here. Please be kind.</sinatra>

Don't have code yet - still working on conept.

I'm designing a site for a low vision specialist. I'm hoping to call the site template through a server-side include. Pretty simple.

I'm also thinking of creating a set of clickable controls that allow the user to customize the appearance of the site, and have that information stored in a cookie on the user's machine. The user basically creates his/her own custom stylesheet for that particular site.

When the page loads, the script looks for the cookie. If it's found, the script displays the page according to the style information specified - otherwise, it just displays the page as originally designed.

The problem is that this sort of script seems to beg to be exploited. You don't even have to know much about hacking PhP to create a pretty nasty little surprise for anyone visiting that site. The session cookie itself would give away exactly how the script worked. I haven't even written the script yet, and I already see a lot of problems with it.

Any thoughts on creating this script in a secure fashion? I'd love to avoid horrifying the elderly and legally blind if possible.

Posted: Mon Feb 12, 2007 3:23 am
by Christopher
If you check that each value from the cookie is an acceptable values then you should not have problems. Just make sure that each value is the expected type, and within an expected range or set of values.

Posted: Mon Feb 12, 2007 9:33 am
by crashy_crashy
Heh - thanks. For some reason, at 3:30 in the morning, this seemed like a big problem. :lol: