FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176520 is a reply to message #176470] Sun, 08 January 2012 23:21 Go to previous messageGo to previous message
Thomas Mlynarczyk is currently offline  Thomas Mlynarczyk
Messages: 131
Registered: September 2010
Karma:
Senior Member
Jerry Stuckle schrieb:

> That's your first mistake. Cookies are completely unrelated to sessions
> - except for the session id in PHP. So there is no need for an extra
> setcookie() call - except when you have screwed up logic.

Maybe there is some misunderstanding here.

> There is no way to ensure the value isn't set via a cookie or GET
> request. A hacker can easily send it any way he wants. This is a very
> basic security concept.

Yes, that's what I'm saying: A hacker can send it any way he wants.

> Detection is always the first step in prevention, as
> anyone familiar with security understands. You cannot prevent something
> you cannot detect.

Assume a variable is supposed to be sent via POST. Now there are the
good guys and the bad guys. The good guys will, by definition, always
send that variable via POST as intended. For /them/, we don't need any
checks and we might even allow them to send it via GET, because we know
they're the good guys. The bad guys /can/ send it via POST as well.
Thus, your website must be able to withstand an attack coming via the
"right" method. But if your website can withstand such an attack, it can
automatically also withstand an attack via the "wrong" method. So you're
safe, without needing to check for the method.

To accept a "delete=all", there must be a session, a properly logged-in
user etc. and that command must be accompanied by a one-time token your
website generates whenever the delete form is displayed. If there is no
security flaw in this, then it is either impossible for the command to
come via GET instead of POST without failing at least one of the other
conditions or it *is* valid (I can tell my Firefox to change POSTs to
GETs and vice versa). And if there /is/ a security flaw in this, then it
is certainly something which is not related to the input method, but
must be some "deeper" problem.

In other words: If I cannot prevent an attack *without* checking which
way the variable came, then my security is no good. But if I can prevent
an attack without checking this, then why should I bother checking?

Greetings,
Thomas

--
Ce n'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!
(Coluche)
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Nov 25 00:51:17 GMT 2024

Total time taken to generate the page: 0.03851 seconds