Re: Newbie: Safe function call to a .inc file outside the web folder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Edward Vermillion wrote:
I was under the the impression that the non-'HTTP_*' keys in the
$_SERVER array came from the server itself.

All of that data comes from the server, but it's difficult to determine which data can be influenced by information within the HTTP request. In other words, you get it from Apache, but it doesn't always originate there.

I blogged about this a while ago:

http://shiflett.org/archive/98

Read the quiz at the very end, then read Geoff Young's comments.

I'm curoius how 'SERVER_NAME' could be manipulated by the client.

Zeev blogged about this:

http://ibm.com/developerworks/blogs/dw_blog_comments.jspa?blog=481&entry=75480

Another one that surprises a lot of people is $_SERVER['PHP_SELF']:

http://blog.phpdoc.info/archives/13-XSS-Woes.html

Is there anything in the $_SERVER array that *can* be considered safe?

Yes, but I've just adopted the habit of considering $_SERVER entirely tainted. It's too hard to safely distinguish between what's tainted and what's not, so I think it's best to play it safe and trust nothing.

If you read the above blog at IBM, you'll see that Rasmus disputes Zeev's claim, and Zeev has to explain further. Regardless of who is right (Zeev is, in this particular case), if one of the top PHP core developers gets it wrong, then what hope is there for me? If I consider all of $_SERVER to be tainted, I don't have to worry about making such a mistake.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux