hairulakli Posted December 23, 2014 Share Posted December 23, 2014 if i use code as follows, This is a safe way to take the value of the form ? <html> <head></head> <body> <form method='post'> <input type='text' name='name' value='akli'> <input type='submit' name ='view' value='view'> </form> </body> </html> <?php extract($_POST); if($view) echo $name; ?> please healp me Quote Link to comment https://forums.phpfreaks.com/topic/293262-security-issues-in-the-extract-in-php-coding/ Share on other sites More sharing options...
LeJack Posted December 23, 2014 Share Posted December 23, 2014 No, that is the worst way to take values from a form. You are forgetting a ton of things that makes your code safer. You're just basically looking for best possible way without doing a lot of stuff. What if someone left a field empty and submitted everything else? $_POST will most likely return true since the method is "post". If someone submits the form, that will still return true. This is why you should validate user inputs. Quote Link to comment https://forums.phpfreaks.com/topic/293262-security-issues-in-the-extract-in-php-coding/#findComment-1500438 Share on other sites More sharing options...
hairulakli Posted December 23, 2014 Author Share Posted December 23, 2014 oohh.. thanks Lejack the answer is very helpfulCan you provide the basis of the best ways to take the value of the form? Quote Link to comment https://forums.phpfreaks.com/topic/293262-security-issues-in-the-extract-in-php-coding/#findComment-1500440 Share on other sites More sharing options...
LeJack Posted December 23, 2014 Share Posted December 23, 2014 Check if the form was submitted, if not then do nothing. If the form is submitted, validate to see if each field was inputted. If any field is empty, print or echo out an error or warning. If every field was inputted and it is what you are expecting, then echo out what the user has typed in. Quote Link to comment https://forums.phpfreaks.com/topic/293262-security-issues-in-the-extract-in-php-coding/#findComment-1500443 Share on other sites More sharing options...
hairulakli Posted December 23, 2014 Author Share Posted December 23, 2014 oke thanks LeJack Quote Link to comment https://forums.phpfreaks.com/topic/293262-security-issues-in-the-extract-in-php-coding/#findComment-1500444 Share on other sites More sharing options...
Jacques1 Posted December 23, 2014 Share Posted December 23, 2014 (edited) Bollocks. Validation is not a security measure, and most if the time it's entirely useless. It's one of those myths which people keep repeating without ever thinking about it. So that's not your problem. The problem is that you allow the user to inject arbitrary variables into your application: extract() by default takes all input parameters and converts them to PHP variables. Existing variables are silently overwritten. It's easy to see what an incredibly stupid and dangerous “feature” that is. The user can change any variable and manipulate the entire control flow of the script. For example, let's say you have an $is_admin variable which is set to false. Well, the user will simply change that to true and declare himself admin. Not good. So do not use extract()! Actually, I wonder why you can't just use $_POST directly like everybody else. What's wrong with $_POST['some_parameter']? Too long? C'mon, do you really want to screw up your entire application only to save 9 characters? Just when we thought that the “register globals” nightmare is finally over, it's coming through the backdoor. Edited December 23, 2014 by Jacques1 Quote Link to comment https://forums.phpfreaks.com/topic/293262-security-issues-in-the-extract-in-php-coding/#findComment-1500447 Share on other sites More sharing options...
requinix Posted December 23, 2014 Share Posted December 23, 2014 Too bad that feature of overwriting variables can't be turned off, huh? Oh wait. It can be. Regardless, still don't use it since $_POST['some_parameter'] is such a trivial alternative. Quote Link to comment https://forums.phpfreaks.com/topic/293262-security-issues-in-the-extract-in-php-coding/#findComment-1500448 Share on other sites More sharing options...
LeJack Posted December 23, 2014 Share Posted December 23, 2014 So that's not your problem. So is Captcha. You argue about security and then back down on it when people are looking for IP banning. So you're telling me that if requinix bans both me and you, you're still able to login to your account with a different IP? You're telling everyone to listen to you when you talk about security, but then you encourage people to look away when it comes to validating and IP Banning. It's the same exact thing. Don't even lie about it because you are BSing it to make yourself look smarter. Which in fact, you make yourself look like a choking fool. If you preach about security so much. Then preach about protecting user inputs instead of turning your head the other way when it comes to security. I used to look up to you, but you are such a failure since the past few years. I've seen how you talk with people and that is the same exact way people think you're an a-hole. You're too damn lazy to ban IPs so you blatantly put the burden on your users to use Captchas? Oh my god. You preach so much about security yet you say NO don't use it because "it's only secure if Jacques1 gives it to you". I'm done here. I'm tired of seeing your two-faced personality showing up and making yourself look like a fool when other people want to use security. Good luck destroying this community as you did with devshed. Wait. The last time you were on devshed, people left. Now since you came on here, people came back to devshed and now people are leaving this forum. Quote Link to comment https://forums.phpfreaks.com/topic/293262-security-issues-in-the-extract-in-php-coding/#findComment-1500450 Share on other sites More sharing options...
Jacques1 Posted December 23, 2014 Share Posted December 23, 2014 (edited) Keep your whiny ad-hominem bullshit. I'm here for the code. You just told a user that variable injection is perfectly fine if only they add some “validation” (whatever that means). This is dangerous nonsense, and I'm not gonna keep quiet about it. The goal of this community is to help people. Of course this doesn't always work out, and sometimes we make mistakes ourselves. But what's definitely not acceptable is to harm people by telling them to blow up their server. This is not w3schools. If you're looking for a warm, fuzzy place where nobody ever disagrees with you, you won't find that here or in any other serious IT community. Go back to devshed. Edited December 23, 2014 by Jacques1 Quote Link to comment https://forums.phpfreaks.com/topic/293262-security-issues-in-the-extract-in-php-coding/#findComment-1500451 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.