| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Comments:
<0> regarding $_GET and $_POST security, is it sufficient to have a foreach() loop to go through all post and get values, and remove any offending code?
<0> or can this measure be circumvented?
<1> well, that depends how good your 'offending code' detector is
<2> 'offending code'?
<0> ie if someone tries to inject code
<3> there is no difference between post and get, apart from you can usualy see the get stuff in the browser
<3> post is just as visable if you want to see it
<1> Bizzy: and people can see get line in referrers...
<3> and just as changable
<0> yes
<4> Bizzy: and stuff in $_GET shows up in referrer logs
<5> Bizzy, not true. GET resources should have no impact on server (e.g., read only)
<2> Bizzy: "javascript"
<0> ok so, what kind of things should i check in $_GET and post?
<0> single quotes, ;
<1> verbatim: any data, that is not valid
<3> speaking of this
<5> Having fun links like delete.php?item_id=10 has played some evil tricks on people with prefetching.
<3> whats the best way to take a $_GET string and put it in a mysql query without being caught up in an sql injection hole
<1> Bizzy: mysql_real_escape_string
<1> damnit!!!!
<2> If you're deleting items, _MAKE SURE_, that user has sufficient level to do so.
<1> if you're deleting items, ask for confirmation./
<5> If you're deleting items, use POST.
<1> just 'sufficient level' - asking for XSS.
<2> Dae: Why?
<1> Dae: well, doesn't help with XSS :-)
<2> domas: How is that asking for XSS?
<6> Dae: not having a confirmation on deletion is quite stupid
<3> deleting will always be done via the admin panel, which uses a .htaccess p***word
<5> Stormchaser: GET should be "always ok" to do. Prefetching (Firefox, Google toolbars, ISP caches) should be free to prefetch GET resources.
<7> Not necessarily stupid. Potentially cruel. :)
<1> Stormchaser: if cookies are used for sessions, pointing user to your page, showing a joke, deleting his data at that time.
<6> delete?id=X should never actually delete something, you should have to confirm first :-)
<2> domas: "SSL"
<1> Stormchaser: won't help you with XSS
<2> sure it will
<1> Stormchaser: no it won't
<2> domas: Have you read on session fixation?
<3> domas: so $somestr = mysql_real_escape_string($_GET['s']); and that will kill off sql injection?
<2> yes
<1> Stormchaser: XSS is not about hijacking sessions by sniffing protocol. XSS is ... executing script remotely.
<1> in the context of _other_ site
<8> if i have 2 variables, they are both string, but contain numeric values (e.g., var_dump() outputs: string(2) => '22' ) whats the best way to perform arithmatic on them?
<3> intval()
<6> MrNaz: $a = $b + $c
<8> Bizzy string(4) "8.70"
<1> Stormchaser: so if I have .jpg page which is actually frameset, which shows a nice joke in one frame and submits lots of delete queries in another...
<9> How do you check if a cookie exists using PHP
<8> AcidReign i'm using 4.4.x thats just outputting zero
<1> Stormchaser: neither session fixation, nor SSL would help. confirmation would.
<9> if($_COOKIE[name]) doesn't work for me
<1> JSDude: $_COOKIE ?
<9> it's returning true even if it doesn't exist
<2> domas: Aha... I see...
<8> AcidReign nvm me i'm an idiot
<1> to do what? :)
<2> confirmation-before-deletion
<6> (see my statements above!)
<1> heh.
<3> but, any sql injection, can delete
<2> AcidReign: ...as said... :)
<6> hell, you should confirm on updates half the time...
<6> any kind of batch update (i.e. changing contant info)
<6> s/batch/multiple field/
<3> SELECT * FROM `poo` WHERE id > $p where $p is 0; DELETE FROM `poo` WHERE id > -1
<1> well. you may have application confirming it for you
<2> !tell Bizzy about sql injection
<1> Stormchaser: btw, confirmation with action=delete&confirmed=true doesn't count ;-)
<9> I'm doing <?= ($_COOKIE['username'] != '') ? 'none' : 'block' ?>
<5> Bizzy: if id has to be an integer, force it to be an integer.
<9> and it's returning block whether the cookie exists or not
<2> domas: I'm aware of that...
<3> yes, that was just a basic example
<10> sql injection is no joke. vgmix.com just got majorly hacked up due to simple injection exploits
<3> to show that a non-delete, so non-confirm query, can have a delete
<1> oh noes, vgmix.com, what a tragedy
<10> rofl, still funny
<2> *whew* I'm happy it's not vgcats :)
<1> there's easy way how to avoid sql injections. do not build queries yourself.
<10> that or mysql real escape
<5> PDO++
<10> and intval
<9> anybody?
<0> hey
<3> im trying to make this guy i know move away from phpnuke, i injected myself as admin, and put the site into offline mode"
<0> can you have nested <ul> ?
<5> <ul> can be nested inside <li>
<10> bizzy know some good phpnuke exploits?
<0> <ul><li></li> <ul><li></li> </li>
<0> ohhh i see
<0> thank you dae
<3> he wont belive it is because phpnuke is terrible
<3> `wtf: he was using 7.0
<3> stuff for that is all over the internet
<10> ah, too bad
<5> Any software that has gone through 7 or more versions in just a few years would make me wonder...
<6> Bizzy: tell him that 449 people told him he's an idiot.
<6> (I hope everyone doesn't mind that I speak for them!)
<2> lol
<3> AcidReign: he updated to latest pay version (he made the club he is runing it for pay for it)
<1> Bizzy: tell him to use mediawiki! :)
<3> im just looking for a source of sql injects for that
<2> Bizzy: You shouldn't ask those questions *here*
<3> im not asking for them
<10> hmm, theres this site i know of that might be exploitable. i wonder how to tell which version
<3> im just stating that im ont he look out for them
<10> only cause it was set up a year ago
<3> meh
<1> well, those exploits have nothing common with PHP anyway
<3> crapply laptop non-natural keyboard
<1> I guess that's slight offtopic ;-)
<10> exploits are a pretty important topic in php
<1> exploits or secure coding practices?
<10> same diff
<2> secure coding practices
<5> No, not quite.
<2> `wtf: no
<3> exploits because of bad coding practices
<1> 'same difference'?
<10> yep
<1> what a strange construct
<10> its like saying boats have nothing to do with the sea
<3> domas: its a pretty common saying
<5> Bizzy: that doens't mean it makes sense
<10> its pop lingo
<3> boats dont have to have anything to do with the sea
<10> pwnt
<3> friend of mine has one, never once seen water
<3> except when it rains
<1> well, I've had one, it has been in lake all the time
<10> exactly, just like bad coding practices may never see actual exploits
<1> so where were we with secure coding practices
<5> lakes are suddenly seas?
<10> doesn't mean they aren't part of the same topic
<1> Dae: 'is it a lake or a sea' once was quite expensive bet for me =)
<3> if its land locked, its technicaly a lake
<1> Bizzy: what about lagoon lake?
<3> ?
<1> Bizzy: example: Lake Maracaibo
<1> (the one bet was about, and I didn't loose 100% there ;-)
<3> ill brb
<3> tryin to install php on apache 2 on this pos
<11> not hard, I had it on my 333
<8> whats the best way to convert "0.00" or "4.32212" from a string into a value?
<3> i know its not
<10> floatval()
<12> anyone have any recommendations on where to pick up boxes and styrofoam/peanuts packing?
<3> i just HATE HATE HATE normal keyboards, and add even more hates on that for laptop keybaords
Return to
#php
or
Go to some related
logs:
#perl
ltsp i810 dri
+openzaurus +gpe +locale
#gimp
#linux
#linux
debian ping localhost locahost.
error: `GLX_COLOR_INDEX_BIT_SGIX' undeclared
apt-get view packages
kaber2
|
|