This is all really simple, actually. Get in the habit, now, of just using $_POST['var'] directly. Quit assigning it to a simpler variable name. It's really not that hard to type.
Next, you should never use an _POST, _GET, or _COOKIE var directly in an SQL query or in anything that echo's it back to the screen. ___ EVERYTHING FROM THE USER MUST BE VALIDATED ___ and you only use that validated value in your SQL and echo's. I'm in the habit of assigning all of my validated user input into an $input[] array and using that for any output/SQL further in the page. ---John Holmes... > -----Original Message----- > From: Rick Emery [mailto:remery@;emeryloftus.com] > Sent: Friday, October 25, 2002 4:27 PM > To: [EMAIL PROTECTED]; Monty > Subject: Re: [PHP] extract($_POST) > > You can still use extract($_POST). > It is as safe/vulernable as $_POST['isAdmin']. > > In either case, use only variables that you know are yours and be certain > these contain > values which you believe to be safe. > For instance, if you expect a variable called $firstname to contain a name > to be stored in > a SQL database, be certain it does not contain SQL commands which can > damage your > database. > > Also, if a cracker simply floods your script with variables, they will not > do damage if > you have verified their contents. For instance: > > $isAdmin = ""; > extract($_POST); > if( $isAdmin=="JohnDoe") > { > do secure stuff; > } > > In the above code, if a cracker has inserted a variable called $isAdmin, > it will be nulled > before extracting from the form. Be advised, that a cracker can create > his own form with > $isAdmin in it and submit it to your script. Using $_POST['isAdmin'] will > NOT protect > you. > Bottom line: you can be cracked. There are no certain protections. > > ----- Original Message ----- > From: "Monty" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, October 25, 2002 3:13 PM > Subject: Re: [PHP] extract($_POST) > > > Okay, I really want to understand how to make $_GET and $_POST more secure > because it means changing a fundamental way my scripts are now working. > > So, it sounds like what I need to do in order to make form data more > secure > is something like this... > > $isAdmin = $_POST['isAdmin']; > $myName = $_POST['myName']; > $myPrefs = $_GET['myPrefs']; > > Instead of this... > > extract($_POST); > extract($_GET); > > Is this correct?? Now, I can see how this will prevent a cracker from > flooding a script with invalid variables that are all extracted into local > vars, but, I don't see how this will prevent someone from hijacking the > vars > and inserting their own data. Validating that kind of attack seems almost > impossible to do especially for things like forms that collect contact > info. > I really don't want to have to validate every field for every legal > possibility (especially fields like Country). > > I've read here that HTTP_REFERER is unreliable and can be easily spoofed, > but, is there a more reliable way to know where the $_POST and $_GET data > is > coming from? Perhaps by IP of my server, or using $_SERVER['SERVER_NAME']? > > Is there any superglobal variable that would be unique to my web server > that > CANNOT be spoofed or easily changed by a cracker that I can use as a check > to be sure the data is being submitted from a form on my site on not from > someone else's site? > > Thanks a lot, guys! > > Monty > > > > From: [EMAIL PROTECTED] (Paul Nicholson) > > Organization: WebPower Design > > Newsgroups: php.general > > Date: Fri, 25 Oct 2002 13:06:10 -0400 > > To: "Johnson, Kirk" <[EMAIL PROTECTED]>, PHP General > > <[EMAIL PROTECTED]> > > Subject: Re: [PHP] extract($_POST) > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Friday 25 October 2002 11:23 am, Johnson, Kirk wrote: > >>> And what should these precautions be? If a malicious user can submit > >>> his own form and you are looking for a POST variable, how can you > >>> ensure that $admin came from your form and not that user's? > >> > >> The problem is when a cracker uses form variables in an attempt to set > the > >> values of "flag" variables kept only in the session, for example, > $isAdmin. > >> As far as the form variables *you* put in your form, it doesn't matter > >> whether the user submits your form or a form they made themselves. > Those > >> form variables are just data you are trying to collect. > >> > >> With register_globals on, PHP takes *all* variables (GET, POST, COOKIE) > >> received from the client and assigns them to global variables. So if > the > >> user posts a value for $isAdmin, she can give herself admin privileges. > >> > >> The key is to retrieve *only* the form variables *you* put in the form > from > >> the the $_POST array. So don't write a loop and grab *everything* from > that > >> array. > >> > >> Kirk > > > > Exactly! Not only should you retrieve *only* the vars you need from > POST, > > you should also filter them to make sure they contain what you're > looking > > for.....is_alpha($_POST['name']). And no, php doesn't have an 'is_alpha' > > function....I created that as part of a filtering class. > > > > ~Paul > > > > > > - -- > > ~Paul Nicholson > > Design Specialist @ WebPower Design > > "The web....the way you want it!" > > [EMAIL PROTECTED] > > > > "It said uses Windows 98 or better, so I loaded Linux!" > > Registered Linux User #183202 using Register Linux System # 81891 > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (GNU/Linux) > > Comment: For info see http://www.gnupg.org > > > > iD8DBQE9uXoKDyXNIUN3+UQRAkugAJ0aftPjxhmV0tSk125UZSTCuWp47QCfaKJ7 > > z5+ja1P4NtWUwVMCMsFVt2M= > > =UG2o > > -----END PGP SIGNATURE----- > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
