Jump to content

security issues in the extract ( ) in php coding ?


hairulakli

Recommended Posts

if i use code as follows, This is a safe way to take the value of the form ?

<html>
<head></head>
<body>
<form method='post'>
<input type='text' name='name' value='akli'>
<input type='submit' name ='view' value='view'>
</form>
</body>
</html>

<?php
extract($_POST);

if($view)
echo $name;
?>

please healp me :)

 

Link to comment
Share on other sites

No, that is the worst way to take values from a form. You are forgetting a ton of things that makes your code safer. You're just basically looking for best possible way without doing a lot of stuff.

 

What if someone left a field empty and submitted everything else? $_POST will most likely return true since the method is "post". If someone submits the form, that will still return true.

 

This is why you should validate user inputs.

Link to comment
Share on other sites

Check if the form was submitted, if not then do nothing. If the form is submitted, validate to see if each field was inputted. If any field is empty, print or echo out an error or warning. If every field was inputted and it is what you are expecting, then echo out what the user has typed in.

Link to comment
Share on other sites

Bollocks.

 

Validation is not a security measure, and most if the time it's entirely useless. It's one of those myths which people keep repeating without ever thinking about it.

 

So that's not your problem. The problem is that you allow the user to inject arbitrary variables into your application: extract() by default takes all input parameters and converts them to PHP variables. Existing variables are silently overwritten.

 

It's easy to see what an incredibly stupid and dangerous “feature” that is. The user can change any variable and manipulate the entire control flow of the script. For example, let's say you have an $is_admin variable which is set to false. Well, the user will simply change that to true and declare himself admin. Not good.

 

So do not use extract()!

 

Actually, I wonder why you can't just use $_POST directly like everybody else. What's wrong with $_POST['some_parameter']? Too long? C'mon, do you really want to screw up your entire application only to save 9 characters?

 

Just when we thought that the “register globals” nightmare is finally over, it's coming through the backdoor. :(

Edited by Jacques1
Link to comment
Share on other sites

So that's not your problem.

 

So is Captcha. You argue about security and then back down on it when people are looking for IP banning. So you're telling me that if requinix bans both me and you, you're still able to login to your account with a different IP?

 

You're telling everyone to listen to you when you talk about security, but then you encourage people to look away when it comes to validating and IP Banning. It's the same exact thing. Don't even lie about it because you are BSing it to make yourself look smarter. Which in fact, you make yourself look like a choking fool. If you preach about security so much. Then preach about protecting user inputs instead of turning your head the other way when it comes to security.

 

I used to look up to you, but you are such a failure since the past few years. I've seen how you talk with people and that is the same exact way people think you're an a-hole.

 

You're too damn lazy to ban IPs so you blatantly put the burden on your users to use Captchas? Oh my god. You preach so much about security yet you say NO don't use it because "it's only secure if Jacques1 gives it to you".

 

I'm done here. I'm tired of seeing your two-faced personality showing up and making yourself look like a fool when other people want to use security.

 

Good luck destroying this community as you did with devshed. Wait. The last time you were on devshed, people left. Now since you came on here, people came back to devshed and now people are leaving this forum.

Link to comment
Share on other sites

Keep your whiny ad-hominem bullshit. I'm here for the code.

 

You just told a user that variable injection is perfectly fine if only they add some “validation” (whatever that means). This is dangerous nonsense, and I'm not gonna keep quiet about it. The goal of this community is to help people. Of course this doesn't always work out, and sometimes we make mistakes ourselves. But what's definitely not acceptable is to harm people by telling them to blow up their server. This is not w3schools.

 

If you're looking for a warm, fuzzy place where nobody ever disagrees with you, you won't find that here or in any other serious IT community. Go back to devshed.

Edited by Jacques1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.