Justtechjobs.com Find a programming school near you






Online Campus Both


php3-list | 199908

Re: [PHP3] Security Questions (long post) From: Richard Lynch (rlynch <email protected>)
Date: 08/30/99

Well... It looks like it will "work" but spoofing that stuff is allegedly
not that hard.

I dunno how to do it, but I imagine it's not too terribly tricky.

HTTP is mostly just a question of spitting the right text at the right port.

You've raised the bar, but not as high as you could using, say, PHPLIB.

You may wish to read PHPLIB source code for ideas...

At 10:14 PM 8/30/99 +0200, you wrote:
>I have posted this quite a few months ago, and recieved some valuable
>replies. Sorry for the repost, but I just wanted to hear any final opinions
>on this before I finish my work.
>
>First, let me mention, I cannot use an apache or unix security features, as
>my project (diploma thesis) must run under windows and linux (which works
>perfectly) and using any web server (works theoretically).
>
>I have two scripts, lets call them page1.php3 and script1.php3. Page1.php3
>just displays a normal HTML Page by getting a few things from a database. On
>this page, Page1.php3 there is a form, which calls the page (Page1.php3)
>itself when the user clicks on the submit button. Now I need to execute some
>code when this is done, and _only_ when the user clicks on the submit
>button. So i am doing something like this:
>
>Page1.php3
>
>[... unimportant stuff ...]
>
>$securityvar = 9331;
>if ((isset($HTTP_POST_VARS)) and
> (GetCleanURL($HTTP_REFERER) ==
>"http://$SERVER_NAME:$SERVER_PORT$REQUEST_URI")) {
>
> include("scripts/handle_newuser1.php3");
>}
>
>[ ... unimportant stuff ... ]
>
><HTML>
>...
><FORM ACTION="page1.php3">
>...
></FORM>
></HTML>
>
>Script1.php3 looks like this:
>
>if ((!isset($HTTP_POST_VARS)) or
> (GetCleanURL($HTTP_REFERER) !=
>"http://$SERVER_NAME:$SERVER_PORT$REQUEST_URI") or
> (!is_int($securityvar)) or
> (basename($REQUEST_URI) != "newuser1.php3")) {
>
> Header("shared/error/403.php3");
> Exit;
>}
>
>[ ... unimportant stuff ... ]
>
>Note: GetCleanURL just rips off eventual ?key=value pairs.
>
>My questions now:
>
>- Is this safe ? : Script1.php3 must only be executed if it is called from
>page1.php3 not from any other page, not even on the same server and not from
>any other server.
>
>- Is there any way to "cheat" this code ?
>
>- Any better ideas (and i am sure there are some).
>
>Please remember, this is a diploma thesis, so I have to do some of this
>"unusual" stuff, as a diploma thesis is an academic project and [ bla bla
>bla ] :) I know it would be much easier if i could use apache security
>features, but I can't.
>
>I am greatful for any hints/suggestions/commments/flames.
>
>Thanx
>
>/CFe
>
>
>--
>PHP 3 Mailing List <http://www.php.net/>
>To unsubscribe, send an empty message to php3-unsubscribe <email protected>
>To subscribe to the digest, e-mail: php3-digest-subscribe <email protected>
>To search the mailing list archive, go to: http://www.php.net/mailsearch.php3
>To contact the list administrators, e-mail: php-list-admin <email protected>
> 

-- 
"TANSTAAFL"  Websites I have built:
CHaTMusic.com      EmphasisEntertainment.com     L-I-E.com
JadeMaze.com       CatCatalani.com               MGMH.com
AstraKelly.com     OlivierLedoux.com

-- 
PHP 3 Mailing List <http://www.php.net/>
To unsubscribe, send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest, e-mail: php3-digest-subscribe <email protected>
To search the mailing list archive, go to: http://www.php.net/mailsearch.php3
To contact the list administrators, e-mail: php-list-admin <email protected>