 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Fri, May 21, 2004 at 07:38:54AM -0400, David Kramer wrote:
> On Friday 21 May 2004 7:33 am, Clint M. Sand wrote:
> > On Thu, May 13, 2004 at 09:47:34AM -0400, David Kramer wrote:
> > > I just found this HOWTO. It's pretty good!
> > >
> > > http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/
> >
> > This is a great overall paper, but a lot of it is way outdated. PHP for
> > example has had registered_global turned off by default for some time.
> >
>
> True. I recently downloaded a Wiki implemented in PHP, because I'm starting
> to learn to hate TWiki that I'm using now, and it expected all the globals to
> be in place. I probably could have tweaked it enough to work in about 2
> hours, but... it's just wrong. The change was made for a good reason.
> Painful transition, but necessary.
Indeed. It's a pain to fix scripts to work in the more secure
environment, but of course it is worth it in the end.
One thing I actually like about being forced to fix scripts in this way,
is that it is a perfect opportunity to do some sanity checking. Here's
an example of translating $_POST something in $foo syntax that also adds
input checking to it:
if ($_POST[fname] != "") {
if (preg_match("/^[0-9a-zA-Z\s]+$/", $_POST[fname]) &&
(strlen($_POST[fname]) < "60")) {
$fname = $_POST['fname'];
} else {
$err_msg .= "First names can only include letters and numbers.\n<br>";
$submit = "false";
}
}
Another thing to note is that you can enable/disable stuff
like register_globals via .htaccess. So if the box you have a box
with register_globals disabled (as it should be) but you have complex
scripts that require it on, you can turn it on just for your stuff via
adding this to an .htaccess
php_value register_globals 1
Then maybe you can slowly fix things, but at least the page is still
working.
>
> ----------------------------------------------------------------------------
> DDDD David Kramer david at thekramers.net http://thekramers.net
> DK KD
> DKK D You are so clueless that if we stripped you naked, soaked you in
> DK KD clue musk, and dropped you into a field full of horny clues, You
> DDDD still would not have a clue. amq
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
