Jump to content

Security issues with POST & GET in php (how to resolve?)


kratsg

Recommended Posts

http://www.parosproxy.org/index.shtml

 

Check this out. It allows you to take the POST command, modify it, and send it on it's way, so to speak. How in the world can I stop it so that it's not so.. insecure?

 

Mostly, I have an AJAX chatroom application that uses the post method to connect wiht the php files, and this program allows you to change the username or w/e.

You need to validate all POST or GET variables as they come into your php programs. You can do this with regular expressions. Modifications to the variables isn't exclusive to the program you linked us to. It's easy to do it by hand.

Wait, how can you get session variables to be passed through AJAX to the PHP file without echoing it into the url variables?

 

So you're saying, if I use AJAX to request something, and the PHP goes $_SESSION['username'], it gets the person's username correctly? Even though it was the AJAX that activated the php script?

there is an excellent tutorial here on sessions, just follow that and it hsould help

but you could do something simple like

     session_start();
     if(session_is_registered("YOUR_SESSION"))
           $username = $_SESSION['username'];
     else
           //REQUIRE LOGIN

 

put that at the begining of any script you want to use the session info on.

 

 

as for the session initialization

use...

 

session_register("YOUR_SESSION);

<?php

// Use of session_register() is deprecated

$barney = "A big purple dinosaur.";

session_register("barney");

 

// Use of $_SESSION is preferred, as of PHP 4.1.0

$_SESSION["zim"] = "An invader from another planet.";

 

// The old way was to use $HTTP_SESSION_VARS

$HTTP_SESSION_VARS["spongebob"] = "He's got square pants.";

?>

 

Off of the php site x.x

 

I would do one of two things:

 

1.  If you're users are logged in and they will presumably have an active session during the chat thing, just use sessions....

 

Ex:

 

<?php
session_start();
if(!isset($_SESSION['username'])) exit;

 

2.  If users are not logged in, generate a random string, assign it to a session variable, and pass it through the AJAX call....

 

 

the page the AJAX sends to:

<?php
session_start();
if(empty($_SESSION['key']) || !isset($_GET['key']) || $_SESSION['key'] != $_GET['key']) exit;
//yeah a little long winded, but I like to code with warnings on, so I try to avoid things that could generate warnings ;p (checking the value of an unitialized GET var)
?>

 

Then the page with the ajax would have something like:

 

<?php
$key = md5(rand(1, 1000) . rand(1,1000));
echo '<script language="javascript">key = "'.$key.'";</script>';
?>

 

Then your AJAX call would add on &key='+key

 

 

That's what I'm already doing. Anyway to pass it to the PHP script without echoing it in javascript? Like

 

The AJAX page contains $_SESSION['username'] = "something" then the page AJAX calls can simply use $username = $_SESSION['username'] or no?

Even though it's not the user that's making the request, but rather the javascript? Wow, that's interesting... So I can set a session in the php file (like the last message id) so that when it recalls the php file, I can re-read this session and echo out messages and etc..? Cool :-D (if that's what corbin means)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.