Are you the only user? Is it authenticating you to keep all other users out? If some random 'net user can send POST data, and you just blindly spit it out, with no filtering and no escaping, then, yes, that is insecure. There are all manner of nasty things that can be done to this setup by other users. Example: They can send whatever POST data they want, which can include JavaScript, which you blindly echo out, which can make your site "look" like another site's login, but sends THEM the login info. So now they are using your site as a dropbox in a phishing attack. And that's just ONE example from a dozen. Repeat after me: FILTER INPUT; ESCAPE OUTPUT Start reading here: http://phpsec.org/ Also take a look at Rasmus' keynote at the php|tek conference, probably listed here: http://talks.php.net/ On Tue, August 7, 2007 7:11 pm, Dan wrote: > I know how you can use cross site scripting if you can steal cookies > and do > bad stuff with JS. My question now though is if I have a form, and I > post > to myself and just echo the value of that post, is that bad? Nobody > else > would see the result of my post so no malicous JS could ever do > anything. > I'm not doing any database calls, just storing what they typed in > either an > array or a variable and echoing it. Simple as that. Is that > insecure? > > - Dan > > > ""Daniel Brown"" <parasane@xxxxxxxxx> wrote in message > news:ab5568160708071520n20ee9f85l81b294b73c467ec@xxxxxxxxxxxxxxxxx >> I'm just forwarding this as a courtesy to the list, because >> Anthony accidentally just sent it to me, as opposed to >> "Reply-All'ing" >> the list. >> >> If you want more information on this subject you should search >> Google >> for "Cross Site Scripting" and "XSS". >> Of particular interest is this site: http://ha.ckers.org/xss.html >> which demonstrates various ways XSS can be exploited. >> Also if you aren't just echo'ing the data, but taking unsanitized >> data >> and making database calls with it, you will want to look for MySQL >> injection techniques. >> >> Cheers, >> distatica. >> >> >> On 8/7/07, Daniel Brown <parasane@xxxxxxxxx> wrote: >>> On 8/7/07, Dan <frozendice@xxxxxxxxx> wrote: >>> > I've always heard it is bad if you let a user type some input, >>> then >>> > show it >>> > back to them w/o sanatizing the code. Eg. I have a form, where >>> the >>> > user >>> > types something, they hit submit and it submits to itself then >>> prints >>> > back >>> > to the user something like, account created with password: >>> whatever >>> > they >>> > typed. >>> > >>> > Why and how do you sanatize what they typed before echoing it >>> back to >>> > them? >>> > I figured it was something like they could type in PHP commands >>> but I >>> > tried >>> > typeing phpinfo(); into the box and submitting. All that >>> happened is >>> > that >>> > it echoed phpinfo(); >>> > >>> > Can someone explain this? >>> > >>> > -- >>> > PHP General Mailing List (http://www.php.net/) >>> > To unsubscribe, visit: http://www.php.net/unsub.php >>> > >>> > >>> >>> It's actually not so much for echo'ing as it is for processing >>> the >>> data in another manner that makes it dangerous not to do some >>> sanitizing and checking.... such as database manipulation. >>> >>> -- >>> Daniel P. Brown >>> [office] (570-) 587-7080 Ext. 272 >>> [mobile] (570-) 766-8107 >>> >>> Hey, PHP-General list.... to give something back to everyone, you >>> guys >>> can have 50% off every month on hosting plans of $10/mo. or more >>> (list >>> price) at http://www.pilotpig.net/. >>> Use the coupon code phpgeneralaug07 >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> >> >> >> -- >> --------------------------------- >> Anthony Hiscox >> >> Video Watch Group >> Public Site Currently Under Development >> Group Members Site Fully Operational >> --------------------------------- >> >> -- >> Daniel P. Brown >> [office] (570-) 587-7080 Ext. 272 >> [mobile] (570-) 766-8107 >> >> Hey, PHP-General list.... to give something back to everyone, you >> guys >> can have 50% off every month on hosting plans of $10/mo. or more >> (list >> price) at http://www.pilotpig.net/. >> Use the coupon code phpgeneralaug07 > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
