| Check if $_GET contains something other than what's allowed [message #183820] |
Thu, 21 November 2013 21:21  |
jwcarlton
Messages: 76
Registered: December 2010
Karma: 0
|
Member |
|
|
I have a script that's constantly under attack by hackers submitting odd queries. My script is tight enough that it's not been a problem, but still, it's annoying.
Just for the sake of peace of mind, how can I check for any $_GET key that's not allowed (in which case I can kill the script from the beginning)?
TIA,
Jason
|
|
|
|
| Re: Check if $_GET contains something other than what's allowed [message #183821 is a reply to message #183820] |
Thu, 21 November 2013 21:31  |
Salvatore
Messages: 38
Registered: September 2012
Karma: 0
|
Member |
|
|
On 2013-11-21, Jason C <jwcarlton(at)gmail(dot)com> wrote:
> Just for the sake of peace of mind, how can I check for any $_GET key
> that's not allowed (in which case I can kill the script from the
> beginning)?
$allowed_values = array('username', 'password', ...);
foreach ($_GET as $key => $value) {
if (array_search($key, $allowed_values) === false) {
// deny access here
}
}
--
Blah blah bleh...
GCS/CM d(-)@>-- s+:- !a C++$ UBL++++$ L+$ W+++$ w M++ Y++ b++
|
|
|
|
| Re: Check if $_GET contains something other than what's allowed [message #183822 is a reply to message #183820] |
Thu, 21 November 2013 21:48 |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Jason C wrote:
> I have a script that's constantly under attack by hackers submitting odd
s/hackers/crackers/
Rule of thumb: Hackers build, crackers (attempt to) destroy.
> queries. My script is tight enough that it's not been a problem, but
> still, it's annoying.
>
> Just for the sake of peace of mind, how can I check for any $_GET key
> that's not allowed (in which case I can kill the script from the
> beginning)?
<http://php.net/isset>
<http://php.net/array_key_exists>
However, your problem more likely is having register_globals=on when it
should be off; not validating user input, inviting SQL injection; aso.
<https://owasp.org/>
PointedEars
--
Prototype.js was written by people who don't know javascript for people
who don't know javascript. People who don't know javascript are not
the best source of advice on designing systems that use javascript.
-- Richard Cornford, cljs, <f806at$ail$1$8300dec7(at)news(dot)demon(dot)co(dot)uk>
|
|
|
|
| Re: Check if $_GET contains something other than what's allowed [message #183825 is a reply to message #183822] |
Thu, 21 November 2013 22:16 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 11/21/2013 4:48 PM, Thomas 'PointedEars' Lahn wrote:
> Jason C wrote:
>
>> I have a script that's constantly under attack by hackers submitting odd
>
> s/hackers/crackers/
>
> Rule of thumb: Hackers build, crackers (attempt to) destroy.
>
No, hackers is the correct term. You really should learn to understand
English before correcting a native speaker of it.
>> queries. My script is tight enough that it's not been a problem, but
>> still, it's annoying.
>>
>> Just for the sake of peace of mind, how can I check for any $_GET key
>> that's not allowed (in which case I can kill the script from the
>> beginning)?
>
> <http://php.net/isset>
> <http://php.net/array_key_exists>
>
> However, your problem more likely is having register_globals=on when it
> should be off; not validating user input, inviting SQL injection; aso.
>
There is no indication in his update that ANY of this is true. In fact,
his update seems to indicate exactly the opposite.
> <https://owasp.org/>
>
>
> PointedEars
>
Not everyone is as dense as you.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| "Hackers" vs. "Crackers" (was: Re: Check if $_GET contains something other than what's allowed) [message #183857 is a reply to message #183825] |
Fri, 22 November 2013 16:36 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle, 2013-11-21 23:16:
> On 11/21/2013 4:48 PM, Thomas 'PointedEars' Lahn wrote:
>> Jason C wrote:
>>
>>> I have a script that's constantly under attack by hackers submitting odd
>>
>> s/hackers/crackers/
>>
>> Rule of thumb: Hackers build, crackers (attempt to) destroy.
>>
>
> No, hackers is the correct term. You really should learn to understand
> English before correcting a native speaker of it.
<http://www.oxforddictionaries.com/definition/english/hacker?q=hacker>
<http://www.oxforddictionaries.com/definition/english/hacker?q=cracker>
Seems the official meaning of both words is the same.
And <http://en.wikipedia.org/wiki/Hacker> shows, there is much more
about this topic than a simple "hackers are people attacking computer
systems".
Anyway - "hacker" originally just referred to computer enthusiasts
"hacking" on their keyboards. Also see "Hackers: Heroes of the Computer
Revolution" by Steven Levy, ISBN 0-385-19195-2.
Some hackers *also* used their skills to gain access to systems with
poor or no special protection at all and some also sold the acquired
data - but this does not mean that a "hacker" is always a bad guy.
Later "hacking" also became the synonym for using technology in new ways
- a "hack" is just another creative use for existing technology or to
deal with technical limitations.
On the opposite - "cracking" originally referred to "crack" copy
protections in computer games. In the 1980ies there where a number of
popular "Cracker Groups", for example:
<http://csdb.dk/search/advancedresult.php?form[category]=groups&group_type[]=2>
Later "cracker" was also used as a synonym for "bad" hackers with
criminal intents. But today many people just say "hacker" when they
actually mean "black hat" or "script kiddie".
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
| Re: "Hackers" vs. "Crackers" [message #183860 is a reply to message #183857] |
Fri, 22 November 2013 18:52 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 11/22/2013 11:36 AM, Arno Welzel wrote:
> Jerry Stuckle, 2013-11-21 23:16:
>
>> On 11/21/2013 4:48 PM, Thomas 'PointedEars' Lahn wrote:
>>> Jason C wrote:
>>>
>>>> I have a script that's constantly under attack by hackers submitting odd
>>>
>>> s/hackers/crackers/
>>>
>>> Rule of thumb: Hackers build, crackers (attempt to) destroy.
>>>
>>
>> No, hackers is the correct term. You really should learn to understand
>> English before correcting a native speaker of it.
>
> <http://www.oxforddictionaries.com/definition/english/hacker?q=hacker>
> <http://www.oxforddictionaries.com/definition/english/hacker?q=cracker>
>
> Seems the official meaning of both words is the same.
>
Which means Pointed Head's correction was WRONG. And "Hackers" is much
more recognized and used than "crackers". But once again, a non-native
English speaker is trying to correct a native English speaker.
> And <http://en.wikipedia.org/wiki/Hacker> shows, there is much more
> about this topic than a simple "hackers are people attacking computer
> systems".
>
> Anyway - "hacker" originally just referred to computer enthusiasts
> "hacking" on their keyboards. Also see "Hackers: Heroes of the Computer
> Revolution" by Steven Levy, ISBN 0-385-19195-2.
>
Yes, and "Hello" was originally an exclamation of surprise. Word
definitions change.
> Some hackers *also* used their skills to gain access to systems with
> poor or no special protection at all and some also sold the acquired
> data - but this does not mean that a "hacker" is always a bad guy.
>
I never said it did.
> Later "hacking" also became the synonym for using technology in new ways
> - a "hack" is just another creative use for existing technology or to
> deal with technical limitations.
>
That term was popular long before computers came into popularity.
> On the opposite - "cracking" originally referred to "crack" copy
> protections in computer games. In the 1980ies there where a number of
> popular "Cracker Groups", for example:
>
> <http://csdb.dk/search/advancedresult.php?form[category]=groups&group_type[]=2>
>
> Later "cracker" was also used as a synonym for "bad" hackers with
> criminal intents. But today many people just say "hacker" when they
> actually mean "black hat" or "script kiddie".
>
>
"Black Hat" and "Script Kiddie" have different meanings, and are a
subset of hackers. "Black Hat" originally referred to spies. And
"script kiddies" may or may not be bad guys. Richard, for instance.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
|
|
|
|
| Re: "Hackers" vs. "Crackers" [message #183983 is a reply to message #183979] |
Sat, 30 November 2013 14:30 |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Steve wrote:
> Hardware hackers are the opposite of software hackers.
Nonsense.
PointedEars
--
Sometimes, what you learn is wrong. If those wrong ideas are close to the
root of the knowledge tree you build on a particular subject, pruning the
bad branches can sometimes cause the whole tree to collapse.
-- Mike Duffy in cljs, <news:Xns9FB6521286DB8invalidcom(at)94(dot)75(dot)214(dot)39>
|
|
|
|
|
|
|
|
| Re: "Hackers" vs. "Crackers" [message #183988 is a reply to message #183983] |
Sat, 30 November 2013 16:33 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 30/11/13 14:30, Thomas 'PointedEars' Lahn wrote:
> Steve wrote:
>
>> Hardware hackers are the opposite of software hackers.
>
> Nonsense.
>
bent noses are the opposite of pointed ears.
>
> PointedEars
>
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
| Re: "Hackers" vs. "Crackers" [message #183991 is a reply to message #183986] |
Sat, 30 November 2013 16:51 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 30/11/13 14:58, Steve wrote:
> In article <l7cql2$ueg$1(at)dont-email(dot)me>, jstucklex(at)attglobal(dot)net (Jerry
> Stuckle) wrote:
>
>> *Subject:* Re: "Hackers" vs. "Crackers"
>> *From:* Jerry Stuckle <jstucklex(at)attglobal(dot)net>
>> *Date:* Sat, 30 Nov 2013 08:53:37 -0500
>>
>> On 11/30/2013 6:49 AM, Steve wrote:
>>> In article <l6o95r$te7$1(at)dont-email(dot)me>, jstucklex(at)attglobal(dot)net
>>> (Jerry
>>> Stuckle) wrote:
>>>
>>>> *Subject:* Re: "Hackers" vs. "Crackers"
>>>> *From:* Jerry Stuckle <jstucklex(at)attglobal(dot)net>
>>>> *Date:* Fri, 22 Nov 2013 13:52:38 -0500
>>>>
>>> Hardware hackers are the opposite of software hackers.
>>>
>>> http://hackaday.com
>>>
>>
>> Who's talking about hardware hackers?
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstucklex(at)attglobal(dot)net
>> ==================
>>
> Somebody further up the thread suggested that hackers build.
>
> I was just pointing out that hardware hackers do, software hackers don't.
>
and even then you were wrong.
hacking is or was simply 'building without a formal specification' that
is you knocked something up and 'hacked' at it until it resembled what
you were trying to achieve. A bit like sculpting.
Iterative design is the technical term :-)
Any decent software or hardware person has done it. It pays when the
overhead of dong the design exceeds the time taken to hack away and get
somewhere. Most successful designs are a mixture of both.
Keith Duckworth on the Cosworth V8 engine development "we just hacked
off metal from the crankcase to reduce weight till it broke, then we'd
put that bit back and try somewhere else"
Software hacking is no different. Think of a part of the problem, you
know how to solve. Write that. Then decide what else you need. What you
have already written defines the interface to that, and means your
problem is already bounded. Hack code until what you have fits with the
first hack, and solves another bit. Repeat till it all works, then give
it to test and see where it breaks, then add bits back till it doesn't.
Then sell and wait for the bug reports. Anywone who thinks Microsoft
Windows wasn't written that way has never disassembled it.
Exactly the same is true of a Porsche sports car. Take a lousy swing
axled cheap nightmare of a car - a volkswagen beetle - and tune it up
till it breaks and keep adding bits over a period of 30 years till it
really actually does go quite fast and not break that often. Yes, its
still a tricky evil tail happy bitch of a car to drive so give your
customers lessons in how to handle, hack in some traction control and a
lot of electronics and pretend its more advanced that a car that doesn't
need all that to be safe to drive...
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
| Re: "Hackers" vs. "Crackers" [message #183993 is a reply to message #183988] |
Sat, 30 November 2013 17:13 |
Doug Miller
Messages: 171
Registered: August 2011
Karma: 0
|
Senior Member |
|
|
The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote in news:l7d40j$rds$2
@news.albasani.net:
> On 30/11/13 14:30, Thomas 'PointedEars' Lahn wrote:
>> Steve wrote:
>>
>>> Hardware hackers are the opposite of software hackers.
>>
>> Nonsense.
>>
> bent noses are the opposite of pointed ears.
Dollars to doughnuts he doesn't get the reference. (English is not PointedHead's first
language, and he doesn't understand it nearly as well as he thinks he does.)
|
|
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]