Re: security/sql issues with php

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 21 September 2005 07:45 pm, bruce wrote:
> i agree with what you're saying...
>
> my primary concern was to make sure that there wasn't/isn't something going
> on that i haven't seen... up to know, i'm ok with what you're saying.
>
> however, i still don't have a good answer to my question regarding how easy
> (or hard) it is to detect if a query that should have originated with your
> app's form is coming from a 3rd party/external site?
>
> am i missing something here?
I think it'd be good to point out here that you cannot trust the referral sent 
by the browser. usually yes it's correct however some browsers do not send 
this. plus it can be spoofed. so validating where it came from shouldn't 
really be a thing to consider, because you cannot validate this reliably.
What _does_ matter however is the actual data we got.

>
> -bruce
>
>
>
> -----Original Message-----
> From: Chris Shiflett [mailto:shiflett@xxxxxxx]
> Sent: Wednesday, September 21, 2005 5:27 PM
> To: bedouglas@xxxxxxxxxxxxx
> Cc: 'Robert Cummings'; 'Mikey'; 'PHP Mailing Lists'
> Subject: Re:  security/sql issues with php
>
> bruce wrote:
>  > but in all honesty, if you're going to write an app, and you're going
>  > to do something with the data, it makes sense to me that you
>  > 'know'/ensure that you're dealing with the correct kind of data. as i
>  > see it, this allows you another way (low entropy) to determine that
>  > the information you're getting is correct/valid.
>
> Sure, but it's easy to make a mistake. Previously, you made this statement:
>  > the app could do something like $_GET['username'] =
>  > reg_check($_GET['username'])
>
> Even if reg_check() does a perfect job of filtering the data (I'm
> guessing it returns FALSE if the data is invalid), this practice
> heightens the risk of making an error, becuse you can have code like this:
>
> echo $_GET['username'];
>
> Is that a XSS vulnerability? Any security-conscious developer should
> scream at such code, so by placing filtered data back into an array that
> contains only tainted data deteriorates a developer's suspicion of any
> data within $_GET, $_POST, etc.
>
> In other words, I think the sheer volume of XSS vulnerabilities out
> there demonstrates that it's far too easy to mistakenly trust and use
> tainted data.
>
> Chris
>
> --
> Chris Shiflett
> Brain Bulb, The PHP Consultancy
> http://brainbulb.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux