d2jsp
Log InRegister
d2jsp Forums > Off-Topic > Computers & IT > Programming & Development > Login Help > Need Help
Prev12
Add Reply New Topic New Poll
Member
Posts: 1,555
Joined: Apr 28 2005
Gold: 55.00
Feb 17 2010 07:13pm
Quote (llamaoo7 @ Feb 16 2010 08:24am)
He said it was as simple as you can make it.  Sometimes there is security in simplicity, but that isn't the case here.  This is just something simple to shutup the OP.  Why would you "echo" the password?  Why would you encrypt it in a config file (one way, salted hash maybe)?  Also, SQL injection?  Where the SQL?  Also, learn to use proper grammar (I don't have the best but if someone walked up to me and talked how your post reads, I'd think you're a crack head).

This sounds like some people I work with that throw around buzz words and I have to explain to management why they shouldn't be instituting policy :( .


All i was saying was the way you put it all you have to do is mess with the unvalidated $_POST and expose your site, eg. the $password var thats in the same file. As any web designer knows you should validate always, why would you ever trust the user. Hell i think thats the best part of building websites is thinking of ways to keep it all secure. But when a newer person asks for help why should you not explain the answer and add the fact about security. (And on a side note only like 1 out of 100 people has any grammar skills on the internet.)
Member
Posts: 9,475
Joined: Mar 14 2005
Gold: 110.00
Feb 17 2010 07:19pm
Quote (Lilfade_LOR_CF @ 17 Feb 2010 20:13)
All i was saying was the way you put it all you have to do is mess with the unvalidated $_POST and expose your site, eg. the $password var thats in the same file. As any web designer knows you should validate always, why would you ever trust the user.  Hell i think thats the best part of building websites is thinking of ways to keep it all secure. But when a newer person asks for help why should you not explain the answer and add the fact about security. (And on a side note only like 1 out of 100 people has any grammar skills on the internet.)


Validate the $_POST to protect against what? PHP string injection attack? That must be 0-day.
(Hint: You validate it when you check it's value.)
Member
Posts: 2,551
Joined: Sep 14 2003
Gold: 106.11
Feb 17 2010 11:32pm
Quote (Lilfade_LOR_CF @ 17 Feb 2010 20:13)
All i was saying was the way you put it all you have to do is mess with the unvalidated $_POST and expose your site, eg. the $password var thats in the same file. As any web designer knows you should validate always, why would you ever trust the user.  Hell i think thats the best part of building websites is thinking of ways to keep it all secure. But when a newer person asks for help why should you not explain the answer and add the fact about security. (And on a side note only like 1 out of 100 people has any grammar skills on the internet.)


You are missing the part where it said "as simple as possible". Your entire argument is more complexity which removes the "as simple" statement.

I do agree attacks are always possible but save form validation for another day.

Code
if(isset($_POST))
{
 foreach($_POST as $key => $value)
 {
   if(!is_array($_POST[$key]))
   {
     $_POST[$key] = cleanText($_POST[$key]);
   }
 }
}

if(isset($_GET))
{
 foreach($_GET as $key => $value)
 {
   if(!is_array($_GET[$key]))
   {
     $_GET[$key] = cleanText($_GET[$key]);
   }
 }
}

function cleanText($string) {
   if (!get_magic_quotes_gpc())
   {
       return mysql_escape_string($string);
   }
   $string = (!is_array($string)) ? htmlspecialchars($string) : $string;
   return $string;
}


Now you can stop bickering and use my cleaning function above.

This post was edited by Bricegould on Feb 17 2010 11:34pm
Member
Posts: 6,325
Joined: Dec 2 2007
Gold: 5,347.75
Feb 18 2010 05:26am
Quote (Bricegould @ 18 Feb 2010 06:32)
You are missing the part where it said "as simple as possible". Your entire argument is more complexity which removes the "as simple" statement.

I do agree attacks are always possible but save form validation for another day.

Code
if(isset($_POST))
{
foreach($_POST as $key => $value)
{
  if(!is_array($_POST[$key]))
  {
    $_POST[$key] = cleanText($_POST[$key]);
  }
}
}

if(isset($_GET))
{
foreach($_GET as $key => $value)
{
  if(!is_array($_GET[$key]))
  {
    $_GET[$key] = cleanText($_GET[$key]);
  }
}
}

function cleanText($string) {
  if (!get_magic_quotes_gpc())
  {
      return mysql_escape_string($string);
  }
  $string = (!is_array($string)) ? htmlspecialchars($string) : $string;
  return $string;
}


Now you can stop bickering and use my cleaning function above.


I got it :)
Go Back To Programming & Development Topic List
Prev12
Add Reply New Topic New Poll