logs archiveIRC Archive / Freenode / #php / 2006 / February / 20 / 1
verbatim
regarding $_GET and $_POST security, is it sufficient to have a foreach() loop to go through all post and get values, and remove any offending code?
or can this measure be circumvented?
domas
well, that depends how good your 'offending code' detector is
Stormchaser
'offending code'?
verbatim
ie if someone tries to inject code
Bizzy
there is no difference between post and get, apart from you can usualy see the get stuff in the browser
post is just as visable if you want to see it
domas
Bizzy: and people can see get line in referrers...
Bizzy
and just as changable
verbatim
yes
Dwonis
Bizzy: and stuff in $_GET shows up in referrer logs
         

Dae
Bizzy, not true. GET resources should have no impact on server (e.g., read only)
Stormchaser
Bizzy: "javascript"
verbatim
ok so, what kind of things should i check in $_GET and post?
single quotes, ;
domas
verbatim: any data, that is not valid
Bizzy
speaking of this
Dae
Having fun links like delete.php?item_id=10 has played some evil tricks on people with prefetching.
Bizzy
whats the best way to take a $_GET string and put it in a mysql query without being caught up in an sql injection hole
domas
Bizzy: mysql_real_escape_string
damnit!!!!
Stormchaser
If you're deleting items, _MAKE SURE_, that user has sufficient level to do so.
domas
if you're deleting items, ask for confirmation./
Dae
If you're deleting items, use POST.
domas
just 'sufficient level' - asking for XSS.
Stormchaser
Dae: Why?
domas
Dae: well, doesn't help with XSS :-)
Stormchaser
domas: How is that asking for XSS?
AcidReign
Dae: not having a confirmation on deletion is quite stupid
Bizzy
deleting will always be done via the admin panel, which uses a .htaccess password
Dae
Stormchaser: GET should be "always ok" to do. Prefetching (Firefox, Google toolbars, ISP caches) should be free to prefetch GET resources.
DeltaF
Not necessarily stupid. Potentially cruel. :)
domas
Stormchaser: if cookies are used for sessions, pointing user to your page, showing a joke, deleting his data at that time.
         

AcidReign
delete?id=X should never actually delete something, you should have to confirm first :-)
Stormchaser
domas: "SSL"
domas
Stormchaser: won't help you with XSS
Stormchaser
sure it will
domas
Stormchaser: no it won't
Stormchaser
domas: Have you read on session fixation?
Bizzy
domas: so $somestr = mysql_real_escape_string($_GET['s']); and that will kill off sql injection?
Stormchaser
yes
domas
Stormchaser: XSS is not about hijacking sessions by sniffing protocol. XSS is ... executing script remotely.
in the context of _other_ site
MrNaz
if i have 2 variables, they are both string, but contain numeric values (e.g., var_dump() outputs: string(2) => '22' ) whats the best way to perform arithmatic on them?
Bizzy
intval()
AcidReign
MrNaz: $a = $b + $c
MrNaz
Bizzy string(4) "8.70"
domas
Stormchaser: so if I have .jpg page which is actually frameset, which shows a nice joke in one frame and submits lots of delete queries in another...
JSDude
How do you check if a cookie exists using PHP
MrNaz
AcidReign i'm using 4.4.x thats just outputting zero
domas
Stormchaser: neither session fixation, nor SSL would help. confirmation would.
JSDude
if($_COOKIE[name]) doesn't work for me
domas
JSDude: $_COOKIE ?
JSDude
it's returning true even if it doesn't exist
Stormchaser
domas: Aha... I see...
MrNaz
AcidReign nvm me i'm an idiot
Stormchaser
(Action) is lucky to do that EVERY time :)
domas
to do what? :)
Stormchaser
confirmation-before-deletion
AcidReign
(see my statements above!)
domas
heh.
Bizzy
but, any sql injection, can delete
Stormchaser
AcidReign: ...as said... :)
AcidReign
hell, you should confirm on updates half the time...
any kind of batch update (i.e. changing contant info)
s/batch/multiple field/
Bizzy
SELECT * FROM `poo` WHERE id > $p where $p is 0; DELETE FROM `poo` WHERE id > -1
domas
well. you may have application confirming it for you
Stormchaser
!tell Bizzy about sql injection
domas
Stormchaser: btw, confirmation with action=delete&confirmed=true doesn't count ;-)
JSDude
I'm doing <?= ($_COOKIE['username'] != '') ? 'none' : 'block' ?>
Dae
Bizzy: if id has to be an integer, force it to be an integer.
JSDude
and it's returning block whether the cookie exists or not
Stormchaser
domas: I'm aware of that...
Bizzy
yes, that was just a basic example
`wtf
sql injection is no joke. vgmix.com just got majorly hacked up due to simple injection exploits
Bizzy
to show that a non-delete, so non-confirm query, can have a delete
domas
oh noes, vgmix.com, what a tragedy
`wtf
rofl, still funny
Stormchaser
*whew* I'm happy it's not vgcats :)
domas
there's easy way how to avoid sql injections. do not build queries yourself.
`wtf
that or mysql real escape
Dae
PDO++
`wtf
and intval
JSDude
anybody?
domas
(Action) hugs mediawiki's Database.php ;-)
verbatim
hey
Bizzy
im trying to make this guy i know move away from phpnuke, i injected myself as admin, and put the site into offline mode"
verbatim
can you have nested <ul> ?
Dae
<ul> can be nested inside <li>
`wtf
bizzy know some good phpnuke exploits?
verbatim
<ul><li></li> <ul><li></li> </li>
ohhh i see
thank you dae
Bizzy
he wont belive it is because phpnuke is terrible
`wtf: he was using 7.0
stuff for that is all over the internet
`wtf
ah, too bad
Dae
Any software that has gone through 7 or more versions in just a few years would make me wonder...
AcidReign
Bizzy: tell him that 449 people told him he's an idiot.
(I hope everyone doesn't mind that I speak for them!)
Stormchaser
lol
Bizzy
AcidReign: he updated to latest pay version (he made the club he is runing it for pay for it)
domas
Bizzy: tell him to use mediawiki! :)
Bizzy
im just looking for a source of sql injects for that
Stormchaser
Bizzy: You shouldn't ask those questions *here*
Bizzy
im not asking for them
`wtf
hmm, theres this site i know of that might be exploitable. i wonder how to tell which version
Bizzy
im just stating that im ont he look out for them
`wtf
only cause it was set up a year ago
Bizzy
meh
domas
well, those exploits have nothing common with PHP anyway
Bizzy
crapply laptop non-natural keyboard
domas
I guess that's slight offtopic ;-)
`wtf
exploits are a pretty important topic in php
domas
exploits or secure coding practices?
`wtf
same diff
Stormchaser
secure coding practices
Dae
No, not quite.
Stormchaser
`wtf: no
Bizzy
exploits because of bad coding practices
domas
'same difference'?
`wtf
yep
domas
what a strange construct
`wtf
its like saying boats have nothing to do with the sea
Bizzy
domas: its a pretty common saying
Dae
Bizzy: that doens't mean it makes sense
`wtf
its pop lingo
Bizzy
boats dont have to have anything to do with the sea
`wtf
pwnt
Bizzy
friend of mine has one, never once seen water
except when it rains
domas
well, I've had one, it has been in lake all the time
`wtf
exactly, just like bad coding practices may never see actual exploits
domas
so where were we with secure coding practices
Dae
lakes are suddenly seas?
`wtf
doesn't mean they aren't part of the same topic
domas
Dae: 'is it a lake or a sea' once was quite expensive bet for me =)
Bizzy
if its land locked, its technicaly a lake
domas
Bizzy: what about lagoon lake?
Bizzy
?
domas
Bizzy: example: Lake Maracaibo
(the one bet was about, and I didn't loose 100% there ;-)
Bizzy
ill brb
tryin to install php on apache 2 on this pos
wizardx
not hard, I had it on my 333
MrNaz
whats the best way to convert "0.00" or "4.32212" from a string into a value?
Bizzy
i know its not
`wtf
floatval()
nmatrix9
anyone have any recommendations on where to pick up boxes and styrofoam/peanuts packing?
Bizzy
i just HATE HATE HATE normal keyboards, and add even more hates on that for laptop keybaords
« prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 next »