On 5/10/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
Hey y'all... In the spirit of improving the mailing list, I'd like to suggest that we, as a group, attempt to not provide answers with Bad Practices, or at least always to point out that the Sample is Bad Practice for production sites? For example, an answer to a question about <?php echo $foo?> where it is clear that register_globals is "off" should either specifically sanitize the data, or make reference to the need to sanitize the data, or link to http://phpsec.org or something along those lines. Otherwise, we merely perpetuate the problems of Bad Code with our answers to newbies, who then run off and write insecure sites and cause us more grief down the road. Hmmm. Maybe this should be part of a Netiquette document "How to give good answers" right next to that "How to ask good questions" document :-^ -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
I agree with this 100%. I know as I started with PHP years ago I though "Great! Here is a perfect snipplet that works for what I need to make my site wrapper!" Didn't take long to learn that snipplet that I found on Google was just screaming to include remote code. ;) How was I to know when I was just playing around for the first time making a dynamic site that passing ?page=x could allow people to run PHP code on my site through an include. Nowhere in the tutorial did it mention anything about remote including. My guess is that the author wasn't aware of it either since it was such a small easy thing. After I realized what was going on I made it a point to read as much as I could understand into code security. The hardest part for me is trying to get out of the mindset of making the script work, but rather into the mindset of if someone were trying to exploit my script, what can they possibly do? Once I did that I was able to see that not forcing ?id=x to use $id = (int)$_GET['id'] could get me into trouble if I wasn't fortunate enough to have mod_security enabled on our server. I'm sure this is very obvious to most of you and that is great. But people asking for help really aren't up there yet and need guidance in these issues because they don't even know to consider these things. I still see so many examples passed on that have the ability to inject SQL or spam via E-Mail Header injection. I mean to be fair the php manual never mentions that if you don't protect the parameters going into mail() injection is possible. I know the argument always ends up being "The language is there, you need to protect yourself from shooting your own foot." But isn't PHP so popular because the barrier into programming with it so low? I guess all I can say is thank you for this mail Richard and I'll try and do my part. :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
