just an fyi for the list. filtering input and escaping output are topics on the zend certification exam. -nathan On 8/7/07, Richard Lynch <ceo@xxxxxxxxx> wrote: > > Are you the only user? > > Is it authenticating you to keep all other users out? > > If some random 'net user can send POST data, and you just blindly spit > it out, with no filtering and no escaping, then, yes, that is > insecure. > > There are all manner of nasty things that can be done to this setup by > other users. > > Example: > They can send whatever POST data they want, which can include > JavaScript, which you blindly echo out, which can make your site > "look" like another site's login, but sends THEM the login info. > > So now they are using your site as a dropbox in a phishing attack. > > And that's just ONE example from a dozen. > > Repeat after me: > FILTER INPUT; ESCAPE OUTPUT > > Start reading here: > http://phpsec.org/ > > Also take a look at Rasmus' keynote at the php|tek conference, > probably listed here: > http://talks.php.net/ > > On Tue, August 7, 2007 7:11 pm, Dan wrote: > > I know how you can use cross site scripting if you can steal cookies > > and do > > bad stuff with JS. My question now though is if I have a form, and I > > post > > to myself and just echo the value of that post, is that bad? Nobody > > else > > would see the result of my post so no malicous JS could ever do > > anything. > > I'm not doing any database calls, just storing what they typed in > > either an > > array or a variable and echoing it. Simple as that. Is that > > insecure? > > > > - Dan > > > > > > ""Daniel Brown"" <parasane@xxxxxxxxx> wrote in message > > news:ab5568160708071520n20ee9f85l81b294b73c467ec@xxxxxxxxxxxxxxxxx > >> I'm just forwarding this as a courtesy to the list, because > >> Anthony accidentally just sent it to me, as opposed to > >> "Reply-All'ing" > >> the list. > >> > >> If you want more information on this subject you should search > >> Google > >> for "Cross Site Scripting" and "XSS". > >> Of particular interest is this site: http://ha.ckers.org/xss.html > >> which demonstrates various ways XSS can be exploited. > >> Also if you aren't just echo'ing the data, but taking unsanitized > >> data > >> and making database calls with it, you will want to look for MySQL > >> injection techniques. > >> > >> Cheers, > >> distatica. > >> > >> > >> On 8/7/07, Daniel Brown <parasane@xxxxxxxxx> wrote: > >>> On 8/7/07, Dan <frozendice@xxxxxxxxx> wrote: > >>> > I've always heard it is bad if you let a user type some input, > >>> then > >>> > show it > >>> > back to them w/o sanatizing the code. Eg. I have a form, where > >>> the > >>> > user > >>> > types something, they hit submit and it submits to itself then > >>> prints > >>> > back > >>> > to the user something like, account created with password: > >>> whatever > >>> > they > >>> > typed. > >>> > > >>> > Why and how do you sanatize what they typed before echoing it > >>> back to > >>> > them? > >>> > I figured it was something like they could type in PHP commands > >>> but I > >>> > tried > >>> > typeing phpinfo(); into the box and submitting. All that > >>> happened is > >>> > that > >>> > it echoed phpinfo(); > >>> > > >>> > Can someone explain this? > >>> > > >>> > -- > >>> > PHP General Mailing List (http://www.php.net/) > >>> > To unsubscribe, visit: http://www.php.net/unsub.php > >>> > > >>> > > >>> > >>> It's actually not so much for echo'ing as it is for processing > >>> the > >>> data in another manner that makes it dangerous not to do some > >>> sanitizing and checking.... such as database manipulation. > >>> > >>> -- > >>> Daniel P. Brown > >>> [office] (570-) 587-7080 Ext. 272 > >>> [mobile] (570-) 766-8107 > >>> > >>> Hey, PHP-General list.... to give something back to everyone, you > >>> guys > >>> can have 50% off every month on hosting plans of $10/mo. or more > >>> (list > >>> price) at http://www.pilotpig.net/. > >>> Use the coupon code phpgeneralaug07 > >>> > >>> -- > >>> PHP General Mailing List (http://www.php.net/) > >>> To unsubscribe, visit: http://www.php.net/unsub.php > >>> > >>> > >> > >> > >> > >> -- > >> --------------------------------- > >> Anthony Hiscox > >> > >> Video Watch Group > >> Public Site Currently Under Development > >> Group Members Site Fully Operational > >> --------------------------------- > >> > >> -- > >> Daniel P. Brown > >> [office] (570-) 587-7080 Ext. 272 > >> [mobile] (570-) 766-8107 > >> > >> Hey, PHP-General list.... to give something back to everyone, you > >> guys > >> can have 50% off every month on hosting plans of $10/mo. or more > >> (list > >> price) at http://www.pilotpig.net/. > >> Use the coupon code phpgeneralaug07 > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > -- > Some people have a "gift" link here. > Know what I want? > I want you to buy a CD from some indie artist. > http://cdbaby.com/browse/from/lynch > Yeah, I get a buck. So? > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
