Darren's Outpost - Weblog Archives - Day 30, September 2005

← 29 September, 2005

04 October, 2005 →

Friday September 30, 2005

PHP register_globals - 6:26 pm
Coding , PHP , Security - DaRen

There are numerous ways and possibility which makes your code unsecure when PHP register_globals directive is set to ON.

Below are few examples:

Unsecure Example 1 [ Hide ]

[ Highlight ] [ Text ]

<?php
session_start();
$_SESSION['test'] = "original";
$test = "modified";
echo $_SESSION['test'];
 
// this will output "modified" instead of "original"
?>

Unsecure Example 2 [ Hide ]

[ Highlight ] [ Text ]

<?php
$_SESSION['test'] = $something;
echo $_SESSION['test'];
 
// Point to the file in browser, with query append to the back:
// test.php?something=modified
// The string "modified" will be output
?>

Permalink:Short |

( 0 comment ) | # 5 |

Friday September 30, 2005

PHP Single Quote vs Doubel Quote - 7:24 pm
Coding , PHP - DaRen

What's the differences between a ' (single quote) and " (double quote) in PHP programming ? They act quite the same. However, for double quotes, PHP checks the contents for a variable to interpolate and escape characters like the \n newline. This makes your scripts SLOWER. It's doesn't really matters if you're writing a small script, but it will help PHP parse faster in a larger script.

Consider the following:

[ Hide ]

[ Highlight ] [ Text ]

$name = 'Darren'; // This one's better
$name = "Darren";

That doesn't mean that double quotes are useless. It helps on readability in some situations:

[ Hide ]

[ Highlight ] [ Text ]

echo '<a href="' . $url . '">' . $text . '</a>';
echo "<a href=\"$url\">$text</a>";
// You cannot do a \n with single quote
echo "\nThis is a new line\n";

Using ' or " ? You should know which to use next time.

Permalink:Short |

( 0 comment ) | # 6 |

Friday September 30, 2005

PHP urldecode() - 8:20 pm
Coding , PHP , Security - DaRen

Don't use a urldecode on a $_GET variable !

Say you have a script:

script.php [ Hide ]

[ Highlight ] [ Text ]

<?php
// Don't do this !
$value = urldecode($_GET['something']);
?>

Exploit:
An attacker can make a query to that script script.php?something=%2527 [...]

The fact...

PHP "receives" this as %27, which your urldecode() will convert to ' (the singlequote). This may be CATASTROPHIC when injecting into SQL or some PHP functions relying on escaped quotes -- magic quotes rightly cannot detect this and will not protect you!

Eg. This exploit affects phpBB < 2.0.11

Solution:
Just an example of how you can make that more secure:

[ Hide ]

[ Highlight ] [ Text ]

<?php
$query = htmlspecialchars($_GET['query']);  
$query = str_replace('%2522', '', $query);  
$query = str_replace('%27', '', $query);  
$query = str_replace('%2527', '', $query);  
?>

[ Hide ]

[ Highlight ] [ Text ]

<?php
// good 
str_replace('&amp;', '&', htmlspecialchars($_GET['redirect']);
// bad
htmlspecialchars(urldecode($_GET['redirect']));
?>

Permalink:Short |

( 0 comment ) | # 7 |

Friday September 30, 2005

The New Blogging System - 11:59 pm
Site Issue , Site Updates - DaRen

Originally, I wrote the BBCode Sandbox solely for testing and learning purpose. But now as I go along, it's pretty stable and I added more features on it. Then I started to combine it with the blogging system and the results are very attractive. Although I'm having regex parsing problems for certain complex BB tags, such as the [code] tag on some circumstances, it's not really a major impact. I've posted a few post which contain bbcode [code] tag, check below.

If nothing goes wrong, I'll terminate the BBCode Sandbox since it contains some functions like adding a new post which shouldn't be really there for public. If I have time I'll modify and put it up so that it's purely a "sandbox".

Stay tuned...

Permalink:Short |

( 0 comment ) | # 8 |

← 29 September, 2005

04 October, 2005 →