|
Posted by "bruce" on 09/22/05 04:02
right...
but here again, you're talking about the server app, getting the query, and validating the information within the query. since i assume the '%x' chars traslate into something other than straight text, i assume that the html function you mention strips out these chars, or it returns a true/false if the data is valid. is this in essence what you're talking about?
-bruce
-----Original Message-----
From: Jasper Bryant-Greene [mailto:jasper@bryant-greene.name]
Sent: Wednesday, September 21, 2005 5:09 PM
To: 'PHP Mailing Lists'
Subject: Re: [PHP] security/sql issues with php
bruce wrote:
> thanks for the replies... i think i understand what you're stating..
> but i'm still confused as to why my app/server would allow a GET/POST
> piece of data that would/should be originating from a form on my site
> to come from a 3rd party/external site/app? i would have assumed that
> there are relatively easy/straight-forward methods to resolve this.
If you're using GET, then the URL in the user's address bar would look
like this:
http://www.example.com/myscript.php?myvar1=some&myvar2=value
It's painfully easy for even the most novice of users to edit the values
to say, for example:
http://www.example.com/myscript.php?myvar1=%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert%28%27hello%27%29%3C%2Fscript%3E&myvar2=value
Which, if you outputted $_GET['myvar1'] without htmlspecialchars()
escaping, would happily execute a JS script on your page. That's a
rather benign example (simply pops up a "hello" box), but it wouldn't be
difficult to do something worse.
Anyone else could link to your page with that URL and have the script
executed on your page. You can't stop this, so you have to escape and
validate the data coming in.
POST is a little more difficult but it is still really easy for a
slightly more clued-up user to edit the data, or another website to POST
data from their form to your script.
--
Jasper Bryant-Greene
Freelance web developer
http://jasper.bryant-greene.name/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Back to original message]
|