FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176524 is a reply to message #176520] Mon, 09 January 2012 00:05 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 1/8/2012 6:21 PM, Thomas Mlynarczyk wrote:
> Jerry Stuckle schrieb:
>
>> That's your first mistake. Cookies are completely unrelated to
>> sessions - except for the session id in PHP. So there is no need for
>> an extra setcookie() call - except when you have screwed up logic.
>
> Maybe there is some misunderstanding here.
>
>> There is no way to ensure the value isn't set via a cookie or GET
>> request. A hacker can easily send it any way he wants. This is a very
>> basic security concept.
>
> Yes, that's what I'm saying: A hacker can send it any way he wants.
>
>> Detection is always the first step in prevention, as anyone familiar
>> with security understands. You cannot prevent something you cannot
>> detect.
>
> Assume a variable is supposed to be sent via POST. Now there are the
> good guys and the bad guys. The good guys will, by definition, always
> send that variable via POST as intended. For /them/, we don't need any
> checks and we might even allow them to send it via GET, because we know
> they're the good guys. The bad guys /can/ send it via POST as well.
> Thus, your website must be able to withstand an attack coming via the
> "right" method. But if your website can withstand such an attack, it can
> automatically also withstand an attack via the "wrong" method. So you're
> safe, without needing to check for the method.
>

If they are supposed to be sent by POST and are instead sent by GET,
then by definition they are NOT "good guys". Detecting things sent via
the "wrong" method is one way to detect attacks.

> To accept a "delete=all", there must be a session, a properly logged-in
> user etc. and that command must be accompanied by a one-time token your
> website generates whenever the delete form is displayed. If there is no
> security flaw in this, then it is either impossible for the command to
> come via GET instead of POST without failing at least one of the other
> conditions or it *is* valid (I can tell my Firefox to change POSTs to
> GETs and vice versa). And if there /is/ a security flaw in this, then it
> is certainly something which is not related to the input method, but
> must be some "deeper" problem.
>

Just because a user is logged in doesn't make any difference. Hackers
will commonly use throw-away email addresses and sign up for sites.

Unless you are going to limit access to those you personally know, and
authorize each one.

> In other words: If I cannot prevent an attack *without* checking which
> way the variable came, then my security is no good. But if I can prevent
> an attack without checking this, then why should I bother checking?
>
> Greetings,
> Thomas
>

I didn't say you can't prevent an attack without checking which way the
variable came from. I said that is one way to detect attacks.

The sooner you can detect an attack, the sooner (and easier) you can
prevent it. A basic tenet of security.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Nov 25 00:52:57 GMT 2024

Total time taken to generate the page: 0.04241 seconds