Board index   FAQ   Search  
Register  Login
Board index PHP PHP Scripts

secure strings

Links for php scripts

Moderators: macek, egami, gesf

secure strings

Postby CHUBBYCAT » Thu Dec 30, 2004 6:51 pm

in a form when I have a text area and in the text area only has html coding and not something like the following

(the space being called EX)

Code: Select all
<input type="text" name="<?  $_POST['EX'] ?>great">


will a configuration using the string

$EX

will it be secure?
User avatar
CHUBBYCAT
New php-forum User
New php-forum User
 
Posts: 53
Joined: Mon Jun 21, 2004 7:08 am

Postby Alexej Kubarev » Fri Dec 31, 2004 3:15 am

is an $ex variable a post variable? or get variable?

If its get($_GET): 100% not secure, if its a post($_POST) its not secure either, as i can submit from my page to your page... and therefore the name wil be changed... however you may use it as it should posess no thread whatsoever if you code good and thing through all the possble algorithms..
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län

Postby CHUBBYCAT » Fri Dec 31, 2004 8:10 am

1) the $EX is a post variable

2)so i should keep it as
Code: Select all
$_POST['EX']

in the input and the configuration page?
User avatar
CHUBBYCAT
New php-forum User
New php-forum User
 
Posts: 53
Joined: Mon Jun 21, 2004 7:08 am

Postby Alexej Kubarev » Fri Dec 31, 2004 9:07 am

well... as i said..if i know the name of your post variable i can esily change it to some other name and give it a value..

The thing is that it wouldn't give me anything.. or it wil... but thats not the point..

My rule is: "NEVER trust users input"-- this goest to the post and get variables..

Therefore try to use $_POST as little as possible...
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län

Postby CHUBBYCAT » Fri Dec 31, 2004 9:44 am

well EX actually is the variable (its for BM IIDX)

so use, $_POST['EX'] on the text space
but in the config use $_GET['EX']
User avatar
CHUBBYCAT
New php-forum User
New php-forum User
 
Posts: 53
Joined: Mon Jun 21, 2004 7:08 am

Postby Alexej Kubarev » Fri Dec 31, 2004 10:01 am

okej..GET will be even worse, due to it could be whatever a user want... so thing about it... if you are using EX in the query => your script is not "SQL injection-safe"..

In most other cases its no problem thou..
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län


Return to PHP Scripts

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron