FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176437 is a reply to message #176432] Fri, 06 January 2012 23:12 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 1/6/2012 2:14 PM, Thomas Mlynarczyk wrote:
> Jerry Stuckle schrieb:
>> On 1/6/2012 6:05 AM, Thomas Mlynarczyk wrote:
>>> Jerry Stuckle schrieb:
>>>
>>>> $REQUESTS is quite dangerous. You never know whether it comes from
>>>> $_GET, $_POST or $_COOKIE, for instance.
>>>
>>> True, you don't know. But does it matter?
>>
>> No, it doesn't matter if you aren't concerned about security.
>
> I was hoping for some objective arguments, but well...
>
> Okay, let me rephrase this. Suppose you have a parameter foo which is
> expected to be sent via $_POST only. So if it's being sent via $_GET you
> refuse it as invalid. Okay. So all the attacker has to do is send it via
> $_POST and you will happily accept it. Now of course you must ensure
> that this foo parameter, even if sent via $_POST, can do no evil. You
> must properly validate it. But once you're there, you might as well
> accept it via $_GET, for what difference does it make now? You validate
> it, so it can do no harm.
>
> I repeat: An attacker can send ANYTHING via GET or POST or COOKIE as he
> chooses. YOU, therefore, cannot say "this came via POST as intended, so
> it's safe". You must not rely on the data source. Therefor, the data
> source should be irrelevant to your application and your application
> must be designed so that it doesn't matter if the data comes via GET,
> POST or COOKIE. In other words: When some evil person knocks on your
> door, it really doesn't matter if he came by train or by car to your
> doorstep. The same holds for a nice guy visiting you.
>
> Greetings,
> Thomas
>

I didn't say you didn't need to validate the parameter. But limiting
values to the proper operation makes it harder for hackers to break in.

It DOES matter where it came from - and data coming in from the wrong
variable can get their IP blocked from the site. There is no use making
it easy for them.

I have people trying to break into the sites I designed almost daily
(multiple times daily if you also include SMTP and SSH attacks). None
have succeeded.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Nov 25 00:22:35 GMT 2024

Total time taken to generate the page: 0.04482 seconds