SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm currently looking at options for security on the site I am currently planning. Using the PHP configuration file it is possible to "turn off" the PHP feature which converts every posted or getted variable into a standard variable available to the script. You can then access these variables using the $HTTP_POST_VARS and $HTTP_GET_VARS global arrays. Obviously this tightens up security a huge deal as people can't feed dummy values to your scripts, however it also adds more work when writing scripts.

    Is it worthwhile implementing this as a security measure?

  2. #2
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Skunk - completely off the topic. But can you please contact me via pm or email. And perhaps read your personal messages?!?

    I question whether this really tightens up security at all. Firstly, get variables are passed in the URL string. So whether you access them using the $HTTP_GET_VARS array or directly by their name doesn't change the fact that a user can try to crack your script by passing values in the URL.

    Same thing for $HTTP_POST_VARS array. A user can still try to send a header with malicious intent. I can't see how it could make a difference.
    Last edited by freakysid; Apr 17, 2001 at 03:46.

  3. #3
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Hi skunk

    I see what you mean now.

    Personally I would leave it as it is for simplicity.

    Although, it's important that you write your scripts knowing that if you are accessing a variable that hasn't been set a value, then the value could be just about anything.

    Of course all programmers know this, but in PHP it is easy to become complacent on relying on isset($value) to find out whether you have given a value to a variable.

    If the variables you need to use are going to be important, such as when you are updating or inserting into a table, or accessing private records, you should validate the input values properly anyway.

    So yeah, I don't think that kind of thing is necessary, as long as you follow good programming procedures. If it is for an application of utmost security, and you are not confident that your scripts have no security gaps, then you COULD start using the $HTTP_POST_VARS, etc.

    Also, you could just as easily get unwanted values in HTTP_POST_VARS if you don't validate them as well, so it'd still be more work.
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •