(Comments inline)
tedd wrote:
[···]
One last question, considering the above code, would the following code
be a suitable replacement?
<?php
$thestyle= htmlentities($_POST['thestyle']);
setcookie ('thestyle', $set, time()+31536000, '/', '', 0);
header("Location: $HTTP_REFERER");
?>
Actually, you receive $set via GET, so you should use $_GET instead of
$_POST. A lot of people use $_REQUEST (wich is a combination of $_POST,
$_GET and $_COOKIE —check the manual), but I read somewhere that this
isn't a good practice, though I don't recall why :p
$set = $_GET['set'];
or even better would be something like
$set = ( isset($_GET['set']) ? $_GET['set'] : $default_value );
I've used htmlentities() before to filter out user's input, but I don't
know if that's sufficient to protect from all types of injections -- is it?
No, it doesn't suffice this way --it does for the script we're talking
about, but that's because you only use the data as part of the HTML
code, so no more harm can be done with it.
A tipical example would be a login script that uses the data as it
arrives, for example:
$login = $_POST['login'];
$passw = $_POST['passw'];
$sql = "SELECT * FROM user\n"
."WHERE( login = '$login' AND passw = '$passw' )";
In this case, what happens if I send something like
login: ' OR '1'='1' OR '0
passw: doesnt care
? (I avoided the ' in the passw, just in case)
Well, we'll end up with an SQL similar to this
SELECT * FROM user
WHERE( login = '' OR '1'='1' OR '0' AND passw = 'doesnt care' )
and because of the priority of the AND / OR, we would have 3 separated
conditions each enough to validate the user, as '1'='1' is true, then we
have a validated user.
Now, if I can do this, I could change the logic a little...
login: admin' AND '1'='1' OR '0
WHERE( login = 'admin' AND '1'='1' OR '0' AND passw = 'doesnt care' )
In this case you should care about ' and " (depending on which one are
you using) Again, I read somewhere that the safest way is to use
(emulated?) "prepared SQL statements", such the "?" SQL-parameters in
ADODB, PEAR-DB and others.
By the way, even causing an SQL error that is displayed to the user
(the whole message or just a part of it) can reveal info that could be
used to bypass your protection.
--
Atentamente,
J. Rafael Salazar Magaña
Innox - Innovación Inteligente
Tel: +52 (33) 3615 5348 ext. 205 / 01 800 2-SOFTWARE
http://www.innox.com.mx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
