|
|
Posted by Erwin Moller on 10/03/51 12:00
Sebastian Lisken wrote:
Hi Sebastian,
> Hi, I'm in the process of securing a PHP/MySQL website by making sure
> all strings that can at least possibly be manipulated from the outside
> are passed through the appropriate escaping functions and/or validated
> against patterns. In the most canonical cases, SQL strings supplied from
> the outside are handled by mysql_real_escape_string,
Your app accepts complete SQL-commands from the outside?
Are you sure that is allright?
I mean, why bother to escape SQL, if I can simple fire a:
DELETE FROM tblusers;
HTML snippets by
> htmlentities, GET parameters in query strings by rawencodeurl. What I'm
> unsure about is whether SID needs to be treated. It's the variable used
> most often, so I guess I could improve efficiency a bit by not adding
> an escaping functions in snippets such as
>
> <a href="<? echo htmlentities($_SERVER['PHP_SELF']) . "?" . SID; ?>">
>
> Is there a known scenario in which an attacker could set SID to contain,
> say, HTML that could then be used in an XSS attack?
No, not an XSS attack. The PHPSESSID is only used to maintain a session
with some client.
But in case you wrote your own sessionhandlers, you should take precautions.
If you use default sessions (file) don't worry.
Of course you should always worry about sessionstealing.
If person A gets the sessionid of person B, person A can pretend to be
person B for the duration of the session. (For more details see
sessionpages on www.php.net. The scenario is named 'session fixation'.)
Regards,
Erwin Moller
>
> Thanks for your opinions
>
> Sebastian Lisken
>
Navigation:
[Reply to this message]
|