You are here: Re: [PHP] Newbie: Safe function call to a .inc file outside the web folder « PHP « IT news, forums, messages
Re: [PHP] Newbie: Safe function call to a .inc file outside the web folder

Posted by Chris Shiflett on 08/28/05 16:50

Edward Vermillion wrote:
> I was under the the impression that the non-'HTTP_*' keys in the
> $_SERVER array came from the server itself.

All of that data comes from the server, but it's difficult to determine
which data can be influenced by information within the HTTP request. In
other words, you get it from Apache, but it doesn't always originate there.

I blogged about this a while ago:

http://shiflett.org/archive/98

Read the quiz at the very end, then read Geoff Young's comments.

> I'm curoius how 'SERVER_NAME' could be manipulated by the client.

Zeev blogged about this:

http://ibm.com/developerworks/blogs/dw_blog_comments.jspa?blog=481&entry=75480

Another one that surprises a lot of people is $_SERVER['PHP_SELF']:

http://blog.phpdoc.info/archives/13-XSS-Woes.html

> Is there anything in the $_SERVER array that *can* be considered safe?

Yes, but I've just adopted the habit of considering $_SERVER entirely
tainted. It's too hard to safely distinguish between what's tainted and
what's not, so I think it's best to play it safe and trust nothing.

If you read the above blog at IBM, you'll see that Rasmus disputes
Zeev's claim, and Zeev has to explain further. Regardless of who is
right (Zeev is, in this particular case), if one of the top PHP core
developers gets it wrong, then what hope is there for me? If I consider
all of $_SERVER to be tainted, I don't have to worry about making such a
mistake.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация