PHP & URL Injection attacks…

I see what the problem was. In PHP you can just collect variables’ values from the url without having to use $_Get, now on its own that may not seem much of a problem, but it does allow a degree of carefree programming to take place.

As a quick fix I have a) changed things so that we are activly collecting information from the URL properly and then b) testing it to see if the values it contains are those we are expecting.

I’ve been using http://www.w3schools.com/php/default.asp as a most concise intro to PHP as well as diving into the useful articles at http://www.tizag.com/phpT/index.php and also checking out solutions and commentry at http://www.phpbuilder.com/board/showthread.php?t=10330350 and http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html

I can see how people could get fascinated by security but I hate locking my car and my home because I resent the baddies dictating my life for me. Similarly security is such a complete waste of human effort, however vital it is of course. Hey ho. Its the way of the world.

Anyhow I think we’ve locked out the troublemakers for the time being.

technorati tags:, , , ,

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: