|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Anyone have some basic security tips for PHP-programmers?
From: Härnhammar, Ulf (Ulf.Harnhammar.9485
student.uu.se)
Date: Sun Nov 23 2003 - 11:36:46 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Also sprach Tommy Gildseth <tommyakili.no>:
> Yes, but none of your examples overlap with the piece of code I was
> commenting on. Ie, the original code doesn't solve any of the problems
> you have described here.
OK, I suppose I was making a general comment about magic quotes instead of
commenting on A. Binder's code.
> As far as I have experienced, it's not a problem to ignore wether magic
> quotes is on or not. Just act os if they are not.
Well, it's not a security problem, but as Tim Oliver just pointed out, it's
irritating with applications that add lots of extra slashes here and there. You
type in "Tommy Gildseth's mailinglist post" and they display it as "Tommy
Gildseth\'s mailinglist post". It's ugly.
This is what I do in PHP:
if (get_magic_quotes_gpc())
{
$name = stripslashes($name);
$phone = stripslashes($phone);
}
I e, if magic quotes are on, you strip one layer of slashes from all user data.
If magic quotes are off, you don't strip any slashes, because they are typed in
by the user, and should be left alone. You then have all data in their original
form, which of course has to be processed before the data is included in web
pages, SQL statements, e-mail messages and so on.
(Lots of scandinavians on this list for some reason..)
--
Ulf Härnhammar, student, Uppsala universitet
"Jag är en tvivelaktig figur / Duger ej mycket till"
-- Cornelis Vreeswijk, "Somliga går med trasiga skor"
Uggs != Cmectbb
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]