right...

but here again, you're talking about the server app, getting the query, and 
validating the information within the query. since i assume the '%x' chars 
traslate into something other than straight text, i assume that the html 
function you mention strips out these chars, or it returns a true/false if the 
data is valid. is this in essence what you're talking about?

-bruce




-----Original Message-----
From: Jasper Bryant-Greene [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 5:09 PM
To: 'PHP Mailing Lists'
Subject: Re: [PHP] security/sql issues with php


bruce wrote:
> thanks for the replies... i think i understand what you're stating..
> but i'm still confused as to why my app/server would allow a GET/POST
> piece of data that would/should be originating from a form on my site
> to come from a 3rd party/external site/app? i would have assumed that
> there are relatively easy/straight-forward methods to resolve this.

If you're using GET, then the URL in the user's address bar would look 
like this:

http://www.example.com/myscript.php?myvar1=some&myvar2=value

It's painfully easy for even the most novice of users to edit the values 
to say, for example:

http://www.example.com/myscript.php?myvar1=%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert%28%27hello%27%29%3C%2Fscript%3E&myvar2=value

Which, if you outputted $_GET['myvar1'] without htmlspecialchars() 
escaping, would happily execute a JS script on your page. That's a 
rather benign example (simply pops up a "hello" box), but it wouldn't be 
difficult to do something worse.

Anyone else could link to your page with that URL and have the script 
executed on your page. You can't stop this, so you have to escape and 
validate the data coming in.

POST is a little more difficult but it is still really easy for a 
slightly more clued-up user to edit the data, or another website to POST 
data from their form to your script.

-- 
Jasper Bryant-Greene
Freelance web developer
http://jasper.bryant-greene.name/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to