secure strings

Links for php scripts

Moderators: macek, egami, gesf

User avatar
CHUBBYCAT
New php-forum User
New php-forum User
Posts: 53
Joined: Mon Jun 21, 2004 7:08 am
Contact:

secure strings

Postby CHUBBYCAT » Thu Dec 30, 2004 6:51 pm

in a form when I have a text area and in the text area only has html coding and not something like the following

(the space being called EX)

Code: Select all

<input type="text" name="<?  $_POST['EX'] ?>great">


will a configuration using the string

$EX

will it be secure?

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Fri Dec 31, 2004 3:15 am

is an $ex variable a post variable? or get variable?

If its get($_GET): 100% not secure, if its a post($_POST) its not secure either, as i can submit from my page to your page... and therefore the name wil be changed... however you may use it as it should posess no thread whatsoever if you code good and thing through all the possble algorithms..

User avatar
CHUBBYCAT
New php-forum User
New php-forum User
Posts: 53
Joined: Mon Jun 21, 2004 7:08 am
Contact:

Postby CHUBBYCAT » Fri Dec 31, 2004 8:10 am

1) the $EX is a post variable

2)so i should keep it as

Code: Select all

$_POST['EX']

in the input and the configuration page?

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Fri Dec 31, 2004 9:07 am

well... as i said..if i know the name of your post variable i can esily change it to some other name and give it a value..

The thing is that it wouldn't give me anything.. or it wil... but thats not the point..

My rule is: "NEVER trust users input"-- this goest to the post and get variables..

Therefore try to use $_POST as little as possible...

User avatar
CHUBBYCAT
New php-forum User
New php-forum User
Posts: 53
Joined: Mon Jun 21, 2004 7:08 am
Contact:

Postby CHUBBYCAT » Fri Dec 31, 2004 9:44 am

well EX actually is the variable (its for BM IIDX)

so use, $_POST['EX'] on the text space
but in the config use $_GET['EX']

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Fri Dec 31, 2004 10:01 am

okej..GET will be even worse, due to it could be whatever a user want... so thing about it... if you are using EX in the query => your script is not "SQL injection-safe"..

In most other cases its no problem thou..


Return to “PHP Scripts”

Who is online

Users browsing this forum: No registered users and 2 guests