On Tue, Jul 19, 2005 at 07:54:31AM +0200, Martin Schulze wrote: > Ok, I'll wait.
so, a 6 hour plane flight later, i've learned 3 things: 1 - there are a number of other variables that also need to be included. 2 - there are a number of calls where variables are indirectly passed to mysql_foo functions via other functions (which causes a problem for the current sanity checking method) 3 - there is another, ridiculously obvious security vulnerability in the woody version. 1 is easy to fix, we can just add on the extra variables to the file. of the 900 or so calls to mysql_foo functions, i had about 170 left to look at when my battery crapped out. 2 is trickier. we could either repeat the process i'm about finished with wrt mysql_foo for all the functions that pass variables to mysql_foo, or we could do the sanity checking in the function. as the former sounds ugly and even more time consuming i'm going to side with thte latter. what i think i'm going to do is split sanitize.php into sanitize and sanitize-functions. sanitize will include_once sanitize-functions, so then sanitize can be included multiple times (otherwise i believe that php will bitch about functions being redefined), and i'll just slip in a line in each mysql-calling function to include sanitize, and add the variables in said functions to sanitize.php. as for 3, well... there's a variable, which is stored in a cookie. the cookie name is cactilogin, and the value is an integer. want to guess what it does? a fix for this shouldn't be too hard, this kind of info should be stored in the session and not in the cookie. anyway, i'll have a fair amount of free time tomorrow, but will need a little sleep first :) sean --
signature.asc
Description: Digital signature