Chris Shiflett wrote:
I agree that there are risks - but I do think this can be done safely--- Chad Day <[EMAIL PROTECTED]> wrote:I want to give my users the ability to submit a URL to a database, then when they pull up their page, their photo is included .. what I'm worried about is them pointing the link to some malicious code or something..Your instincts serve you well. There are two types of attacks to worry about in this situation, depending on who can see this "image". If only the user who submitted the URL can see it, then your users only risk CSRF attacks, which are not very common (yet) but are very dangerous. If everyone can see the "image", then your application is also at risk of XSS. If you realize that an embedded image is requested separately by a Web client, you can see that this basically allows an attacker the opportunity of forcing another user to visit a URL of the attacker's choice. For example, consider an image that looks like this: <img src="http://bookstore.xxx/buy.php?book=httphandbook";>
if you make sure the user cannot insert javascript into the page, there isn't much cross site scripting that can be done.
and make sure they can't insert quotes which would end the quoted string in the html page.
is there really any site which will accept a book order based an a sigle GET ?
I guess stripping the query string would be safest... but its a balance betwwen security and functionality ...
--
Sean
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
