Re: Good Answers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/10/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
Hey y'all...

In the spirit of improving the mailing list, I'd like to suggest that
we, as a group, attempt to not provide answers with Bad Practices, or
at least always to point out that the Sample is Bad Practice for
production sites?

For example, an answer to a question about <?php echo $foo?> where it
is clear that register_globals is "off" should either specifically
sanitize the data, or make reference to the need to sanitize the data,
or link to http://phpsec.org or something along those lines.

Otherwise, we merely perpetuate the problems of Bad Code with our
answers to newbies, who then run off and write insecure sites and
cause us more grief down the road.

Hmmm.  Maybe this should be part of a Netiquette document "How to give
good answers" right next to that "How to ask good questions" document
:-^

--
Like Music?
http://l-i-e.com/artists.htm

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


I agree with this 100%.  I know as I started with PHP years ago I
though "Great! Here is a perfect snipplet that works for what I need
to make my site wrapper!"  Didn't take long to learn that snipplet
that I found on Google was just screaming to include remote code. ;)

How was I to know when I was just playing around for the first time
making a dynamic site that passing ?page=x could allow people to run
PHP code on my site through an include.  Nowhere in the tutorial did
it mention anything about remote including.  My guess is that the
author wasn't aware of it either since it was such a small easy thing.

After I realized what was going on I made it a point to read as much
as I could understand into code security.  The hardest part for me is
trying to get out of the mindset of making the script work, but rather
into the mindset of if someone were trying to exploit my script, what
can they possibly do?  Once I did that I was able to see that not
forcing ?id=x to use $id = (int)$_GET['id'] could get me into trouble
if I wasn't fortunate enough to have mod_security enabled on our
server.

I'm sure this is very obvious to most of you and that is great.  But
people asking for help really aren't up there yet and need guidance in
these issues because they don't even know to consider these things.  I
still see so many examples passed on that have the ability to inject
SQL or spam via E-Mail Header injection.  I mean to be fair the php
manual never mentions that if you don't protect the parameters going
into mail() injection is possible.

I know the argument always ends up being "The language is there, you
need to protect yourself from shooting your own foot."  But isn't PHP
so popular because the barrier into programming with it so low?

I guess all I can say is thank you for this mail Richard and I'll try
and do my part. :)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux