Security issues with POST & GET in php (how to resolve?)

[kratsg]

http://www.parosproxy.org/index.shtml

 

Check this out. It allows you to take the POST command, modify it, and send it on it's way, so to speak. How in the world can I stop it so that it's not so.. insecure?

 

Mostly, I have an AJAX chatroom application that uses the post method to connect wiht the php files, and this program allows you to change the username or w/e.

[sKunKbad]

You need to validate all POST or GET variables as they come into your php programs. You can do this with regular expressions. Modifications to the variables isn't exclusive to the program you linked us to. It's easy to do it by hand.

[kratsg]

Well, you can't validate the username posted. A person could put in any username, and the system will accept it, there's no way to check it since you can't pass a session through AJAX.

[kenrbnsn]

Sessions work fine when PHP is invoked via AJAX. I use them all the time.

 

Ken

[kratsg]

Wait, how can you get session variables to be passed through AJAX to the PHP file without echoing it into the url variables?

 

So you're saying, if I use AJAX to request something, and the PHP goes $_SESSION['username'], it gets the person's username correctly? Even though it was the AJAX that activated the php script?

[Branden Wagner]

there is an excellent tutorial here on sessions, just follow that and it hsould help

but you could do something simple like

     session_start();
     if(session_is_registered("YOUR_SESSION"))
           $username = $_SESSION['username'];
     else
           //REQUIRE LOGIN

 

put that at the begining of any script you want to use the session info on.

 

 

as for the session initialization

use...

 

session_register("YOUR_SESSION);

[corbin]

<?php

// Use of session_register() is deprecated

$barney = "A big purple dinosaur.";

session_register("barney");

 

// Use of $_SESSION is preferred, as of PHP 4.1.0

$_SESSION["zim"] = "An invader from another planet.";

 

// The old way was to use $HTTP_SESSION_VARS

$HTTP_SESSION_VARS["spongebob"] = "He's got square pants.";

?>

 

Off of the php site x.x

 

I would do one of two things:

 

1.  If you're users are logged in and they will presumably have an active session during the chat thing, just use sessions....

 

Ex:

 

<?php
session_start();
if(!isset($_SESSION['username'])) exit;

 

2.  If users are not logged in, generate a random string, assign it to a session variable, and pass it through the AJAX call....

 

 

the page the AJAX sends to:

<?php
session_start();
if(empty($_SESSION['key']) || !isset($_GET['key']) || $_SESSION['key'] != $_GET['key']) exit;
//yeah a little long winded, but I like to code with warnings on, so I try to avoid things that could generate warnings ;p (checking the value of an unitialized GET var)
?>

 

Then the page with the ajax would have something like:

 

<?php
$key = md5(rand(1, 1000) . rand(1,1000));
echo '<script language="javascript">key = "'.$key.'";</script>';
?>

 

Then your AJAX call would add on &key='+key

 

 

[kratsg]

That's what I'm already doing. Anyway to pass it to the PHP script without echoing it in javascript? Like

 

The AJAX page contains $_SESSION['username'] = "something" then the page AJAX calls can simply use $username = $_SESSION['username'] or no?

[corbin]

Making a request is almost like going to a page in your web browser.... As long as the session cookie isn't restricted (and it shouldn't ever be if it's the same domain), then a PHP script should be able to access the session values ;p.

[kratsg]

Even though it's not the user that's making the request, but rather the javascript? Wow, that's interesting... So I can set a session in the php file (like the last message id) so that when it recalls the php file, I can re-read this session and echo out messages and etc..? Cool :-D (if that's what corbin means)