Re: A Review Request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



PHP_SELF requires no processing (i.e. there is no need to do basename())

strcmp is binary-safe, i prefer and  recommend using string-safe comparison
functions for strings... here is an example of why:

$value = 0;
if($value=="not zero") {
    echo "oopsie, how did this happen, lets see how this works with strcmp
(or === which i would advise)";
    if(strcmp($value, "not zero") == 0) {
        echo "You wont see this";
    } else {
        echo "Because strcmp works correctly";
    }
}

you can also use the exact comparator ===, as it compares types, it would
work well as well. Infact if you dont need to determing anything about the
string, i would suggest using the === operator as it is significantly
faster:

timed: 0m0.724s
<?php
for($i=0; $i<=10000000; $i++){
  if(1 === "submit") {
    continue;
  }
}

timed: 0m4.785s
<?php
for($i=0; $i<=10000000; $i++){
  if(strcmp(1, "submit")==0) {
    continue;
  }
}

--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray



On Thu, May 19, 2011 at 2:44 PM, Andre Polykanine <andre@xxxxxxxx> wrote:

> Hello Alex,
>
> Two (stupid?) questions:
> 1. Why PHP_SELF is better than SCRIPT_NAME?
> 2. Why strcmp() is better than just comparing?
>
> --
> With best regards from Ukraine,
> Andre
> Skype: Francophile
> My blog: http://oire.org/menelion (mostly in Russian)
> Twitter: http://twitter.com/m_elensule
> Facebook: http://facebook.com/menelion
>
> ------------ Original message ------------
> From: Alex Nikitin <niksoft@xxxxxxxxx>
> To: PHP General
> Date created: , 9:29:35 PM
> Subject:  A Review Request
>
>
>
> I will try to respond to the original question.
>
> Note: this is constructive criticism, so i wont do much in terms of
> praising
> the good parts
>
> It works, its very primitive, in some ways its pretty insecure, for example
> it provides no session hijacking protection, it's not written with the
> better of standards in mind, for one if you do store your password in code,
> you shouldn't store your password in clear text, that way if say i was able
> to bypass php execution and dumped that file out, i would still not have a
> useable password, so use a hash. There is no timing out or attempt
> management, for example i can write a 5 line-long brute script that will
> just pound your script with user ids and passwords, you should make it at
> least somewhat difficult for me to do that ;)
>
> Also don't declare a bunch of needless variables for their one-time use,
> don't compare unsanitized strings with a binary unsafe operator, server
> variables contain link to current script, here are examples of what i mean:
>
> -$self = basename($_SERVER['SCRIPT_NAME']);
> +$self = $_SERVER['PHP_SELF'];
>
>
> -$submit = isset($_POST['submit']) ? $_POST['submit'] : null;
> -if($submit == 'Submit')
>
> +if($_POST)
>
>
> -$pw = 'pw'; // define your password here
> -$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null;
> -$password = isset($_POST['password']) ? $_POST['password'] : null;
> -if (($user_id == $id) AND ($password== $pw))
>
> +$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the
> password: php -r "echo sha1(\"pw\");"
> +if (@strcmp($id, $_POST['user_id']) == 0 && strcmp($pw,
> sha1($_POST['password'])) == 0)
>
>
>
> -- Alex --
> --
> The trouble with programmers is that you can never tell what a programmer
> is
> doing until it’s too late.  ~Seymour Cray
>
>
>
> On Wed, May 18, 2011 at 3:22 PM, tedd <tedd@xxxxxxxxxxxx> wrote:
>
> > Hi gang:
> >
> > I am considering providing PHP code to the general public via my website
> >
> > This is my first attempt:
> >
> > http://sperling.com/php/authorization/
> >
> > What do you people think?
> >
> > Cheers,
> >
> > tedd
> >
> > --
> > -------
> > http://sperling.com/
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux