As far as I see... I can't see any risk. Cookies are saved in the
client machine (i.e. the one visiting your site), so any code he might
send will be used with him only, and it will not affect other users nor
the scripts in the (remote) server.
Now, you're not using the input value in anything similar to an eval()
expression, hence should some PHP code be sent and it would only be
printed, no harm in that either.
Inspite of all this, I would really recomend you not to rely on
register_globals=On, since: it's not a good idea, it's actually
deprecated (someday it will be removed) and makes your code a little bit
more confused, since it's not clear where do that variables come from.
> 1. Is he right?
Yes, and no. In your specific case someone _could_ send you code
instead of whatever you're expecting (and you don't validate the input),
but it would be harmless for anyone other that himslef.
Beware that the risk of code inserted in cookies, form-input elements,
the Query string, etc., is real and it depends on the way you use the
data received, and if you check it and how do you do it.
> 2. How does that work?
Well, cookies are stored in your (client) machine, so you're able to
modify whatever content they have. One way to test this is using
Firefox and an extension that allows you to edit cookies such as "Add N
Edit Cookies" (play with the cookie of your own site)
> 3. If so, what do I do to correct this?
Do not rely on register_globals, and don't ever trust on any input
given by the user, treat all of them as enemies and check everything
that comes to your mind --and more ;)
Note: this is how _I_ see it, so I could be ignoring something that
other people did see.
tedd wrote:
Hi:
I've been using a php style switcher allowing users to change css. The
code follows:
Within the head tags.
<link rel="stylesheet" type="text/css" media="screen" href="<?php echo
(!$thestyle)?'style1':$thestyle ?>.css" >
Within the body tags, allowing the user to select which style they want:
<a href="switch.php?set=style2">Green</a> or <a
href="switch.php?set=style1">Red</a>
And, the corresponding (switch.php) php code is:
<?php
setcookie ('thestyle', $set, time()+31536000, '/', '', 0);
header("Location: $HTTP_REFERER");
?>
It's pretty simple. But recently, I had one person hammer me stating it
was a security problem because I didn't validate the user input. As
such, he says that someone could inject an arbitrary code and cause
problems.
1. Is he right?
2. How does that work?
3. If so, what do I do to correct this?
Many thanks for any replies.
tedd
--
Atentamente,
J. Rafael Salazar Magaña
Innox - Innovación Inteligente
Tel: +52 (33) 3615 5348 ext. 205 / 01 800 2-SOFTWARE
http://www.innox.com.mx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
