Re: Abusing poor programming techniques in webserver scripts V 1.0
From: Michał Pasternak (doc@lublin.t1.pl)Date: 07/30/01
- Previous message: Kheos ml: "Re: Abusing poor programming techniques in webserver scripts V 1.0"
- In reply to: memonix@roses-labs.com: "Abusing poor programming techniques in webserver scripts V 1.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 30 Jul 2001 01:32:22 +0200 From: Michał Pasternak <doc@lublin.t1.pl> To: memonix@roses-labs.com Subject: Re: Abusing poor programming techniques in webserver scripts V 1.0 Message-ID: <20010730013222.A51721@lublin.t1.pl>
There are also other poor-coding techniques I recently thought about:
- choosing/entering SQL field name in form, like:
<select name=field>
<option value=title>title
<option value=author>author
</select>
and then:
query("select * from table where $field LIKE '%text%");
can be easily exploited. Instead, use:
<select name=field>
<option value=0>title
<option value=1>author
</select>
and then:
switch ($field) {
case 0:
default:
$sql_field = "title";
break;
case 1:
$sql_field = "author";
break;
}
query("select * from table where $sql_field LIKE '%text%");
- when you want to include a file given as CGI/PHP script parameter, it's
best to *remove* all dots ('.') and first '/' sign. Well, you could also
add backlash in front of the dots.
Replacing '..' to '.' using str_replace is bad ('....' => '..')
Any other ideas?
-- [ Michal Pasternak doc@lublin.t1.pl +48606570000 ] [ sklepy internetowe, bazy danych, programy na zamówienie ] [ . .. ..- .- . .. http://lublin.t1.pl . .-. .--.. . . .- ]
- Previous message: Kheos ml: "Re: Abusing poor programming techniques in webserver scripts V 1.0"
- In reply to: memonix@roses-labs.com: "Abusing poor programming techniques in webserver scripts V 1.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
