$_GET is definately insecure because the user can insert values into the URL line,
which may expose data which should be secure (depending upon how you've written your
scripts).
$_POST is more secure, if you add additional protective coding. An excellent example
was provided a couple days ago. In the following, assume $admin must be set to
"trustme" and is set from a form:
INSECURE method 1:
if( ISSET($admin) )
{
print $sensitive_data;
}
INSECURE method 2:
if( $admin=="trustme" )
{
print $sensitive data;
}
MORE SECURE method:
$admin = "";
extract($_POST);
if( $admin == "trustme" )
{
print $sensitive_data;
}
The insecure methods can be fooled by the user guessing/inserting a variable named
$admin, set to "trustme" in the URL.
The more secure method ensures it MUST come from a form. Be advised: the user can
create his own form with $admin as a variable and submit it to your PHP script.
Therefore, additional precautions and authentication are warranted.
----- Original Message -----
From: "Monty" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 12:37 AM
Subject: Re: [PHP] extract($_POST)
I'm devastated to hear that extract($_POST) or extract($_GET) are security
risks because that's the method I went with for a bunch of scripts I'm
writing now. But I don't understand how this...
$admin = $_POST['admin'];
... is more secure? Isn't the security risk that they can hijack your var
data? If so, I don't see how the above would make it possible to know
whether the data in $_POST isn't coming from your own scripts. Especially
for forms where it's not really efficient to validate every possibility for
a field, such as a Country field.
But maybe I'm missing the point, and if so I'd like to understand so I can
make my scripts more secure when passing data. It seems like I will need to
basically re-define every form field and GET variable at the beginning of
each script literally.
Monty
> From: [EMAIL PROTECTED] (Mike Ford)
> Newsgroups: php.general
> Date: Thu, 24 Oct 2002 18:41:04 +0100
> To: "'1LT John W. Holmes'" <[EMAIL PROTECTED]>, Rick Emery
> <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: RE: [PHP] extract($_POST)
>
>> -----Original Message-----
>> From: 1LT John W. Holmes [mailto:holmes072000@;charter.net]
>> Sent: 23 October 2002 19:51
>>
>> Say you have something like this:
>>
>> if($_POST['name'] == "John")
>> { $admin = TRUE; }
>>
>> if($admin)
>> { show_sensitive_data(); }
>>
>> Now, if you're using extract(), I can send $admin through the
>> post data and
>> you'll extract it into your script. That's where the security
>> flaw lies, but
>> the flaw is in the programming, not PHP.
>>
>> You can have a secure example by doing this:
>>
>> $admin = FALSE;
>> if($_POST['name'] == "John")
>> { $admin = TRUE; }
>
> Or just $admin = $_POST['name']=="John";
>
> Actually, I'd also collapse this into the subsequent if, and write it like
> this:
>
> if ($admin = $_POST['name']=="John"):
> show_sensitive_data();
> endif;
>
> I love languages where assignments are expressions!
>
> Cheers!
>
> Mike
>
> ---------------------------------------------------------------------
> Mike Ford, Electronic Information Services Adviser,
> Learning Support Services, Learning & Information Services,
> JG125, James Graham Building, Leeds Metropolitan University,
> Beckett Park, LEEDS, LS6 3QS, United Kingdom
> Email: [EMAIL PROTECTED]
> Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
