quoth the Jason Barnett:
> Darren Kirby wrote:
> > The problem is that after playing around with this a bit, it is clear
> > that someone can craft a url with an arbitrary $postid that is not in the
> > database yet. Now naively, it would seem that the worst someone could do
> > is just create arbitrary entries in the DB that may come back to bite me
> > when I actually _use_ the arbitrary postid down the road.
>
> Well a couple of things that I can think of here...
> - Doing this seems like an easy way to get "orphaned" posts i.e. blogs
> that are stored in the database, but because there is no thread that
> corresponds to this blog then it would be a waste of DB storage
> - Might allow a malicious user to change an already-created post. They
> might even be able to stick in some PHP / Javascript code that could
> compromise the security of anyone that happens to read that blog!
Well, I did make sure to scrub the input so that code tags are turned into
character entities. Again, I am naive on such things but my understanding is
that this will take care of '<?php ?>' or <script> 'tags'
> > What I want to do is make sure that someone cannot create a post with a
> > $postid value greater than the largest $postid I have used so far.
>
> And you want to be sure that they cannot create a post with a $postid
> that has already been used.
>
> How about... instead of generating *any* $postid in your form, you just
> let MySQL handle it when it's ready to insert a new message. Just have
> the ID be an auto-increment in the DB... and this ID never needs to go
> to the browser (unless you're allowing a user to edit their *own* post).
> In the case of an edit you then check that the username in MySQL
> matches the username attached to the $_SESSION (or just don't let people
> edit ;)
>
>
> Again... unless I'm missing something here the only thing you might want
> to send into a form / validate on the server would be a "thread ID" to
> figure out which thread this post belongs to.
Well, the $postid variable _is_ the thread id. The thread id is not unique to
each comment, only to each original blog entry (which I add manually to the
static page). So $postid's purpose is only to tell php and the DB which blog
entry the comment is attached to. Here's what my table looks like:
| id | mediumint(10) (auto_increment)
| name | varchar(30) binary
| email | varchar(30)
| url | varchar(30)
| postid | mediumint(10)
| message | text
| date | varchar(30)
So when I display the comments, for each blog entry I just use:
mysql_query("SELECT * FROM comment_table WHERE postid='$postid' ORDER BY
id");
So the problem remains, there is nothing in the DB that would indicate the
highest valid postid number, because until someone actually leaves a comment,
the corresponding postid doesn't exist in the DB. Like I said, I'm sure I
could have designed the table better, but I am just playing here really.
What I have done in the interim is add:
$num_entries = 11;
if ($postid > $num_entries) {
print('sorry bud...nice try');
return;
}
But this is inelegant because I have to manually update the value of
$num_entries everytime I add a new one. I should be able to live with this
though, it does the trick all right.
Thanks for all your help,
Darren
--
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972
Attachment:
pgpD1i8GIJSBi.pgp
Description: PGP signature
