What is Digg?Sponsored by HTC
Who knows you better than your phone? view!
youtube.com - See you from the perspective of your phone.
77 Comments
- covertbadger, on 03/02/2009, -2/+32FTA:
"Here’s how to achieve that functionality with MooTools javascript.
if(isset($_GET['delete']))
{
$query = 'DELETE FROM my_table WHERE item_id = '.(int)$_GET['delete'];
$result = mysql_query($result,$link);
}"
Should read "here's how to add a security hole to your application wide enough to sail an aircraft carrier through".
When will these tutorials start to contain even the faintest hint of decent code? It wouldn't take any longer or take much more code to write this properly, so why pollute the internet with yet more insecure crap? - covertbadger, on 03/02/2009, -0/+191) There's no code to validate $_GET['delete'] is a number. If the cast fails, or does something unexpected (php can do odd things when casting strings to ints) then that delete statement could run riot.
2) Deleting via HTTP GET is not only unRESTful, it's also a gimme for cross-site-scripting attacks. If I posted a link similar to www.foo.com/?delete=10 onto a popular site, everyone who clicks on it will delete comment 10 from foo.com. If I make the parameter random, I can basically trash foo.com if the link is on a popular enough site.
3) It's using the crappy old mysql API. mysqli has been around for a while now and supports prepared statements; there's no excuse not to use it.
3 errors in 3 significant lines of code - unbelieveable. - upick, on 03/02/2009, -0/+16Particularly enjoyed the Google password meter and PHP charts, a gem of article in here
- dullnation, on 03/02/2009, -0/+15Here's one for the author:
http://www.hostinglowdown.com/2007/how-to-survive- ... - smedrick, on 03/02/2009, -0/+11Wow, one of the items is how to use PHP to cache your dynamic pages to static HTML to combat high server load. If that's not irony, I don't know what is.
- imakecomments, on 03/02/2009, -0/+11One comment and the site is dead....
- skztr, on 03/02/2009, -0/+111) PHP does "wierd things" when casting to an integer, but the result is always an integer.
2) "click here" on a malicious link is not XSS in any sense.
3) MySQLi's prepared statement syntax is horrible and the "preparation" it does is laughable. Use the old syntax all you want, because MySQLi is not a marked improvement. (more to the point: don't use either syntax outside of a low-level database layer) - Bourksterz, on 03/02/2009, -1/+8Thankfully Google cached it before it went down.
http://209.85.173.132/search?q=cache%3Ahttp%3A%2F% ... - Chalks777, on 03/02/2009, -0/+7I've fallen in love with jquery. <3
- ucffool, on 03/02/2009, -0/+7I just went to their DEMO for a 'password meter like Google'.
I entered in the password as... 'password' (no quotes). Guess what? VERY SECURE.
I wouldn't trust this article for anything. On a side note, if you really want to code in PHP, keep this reference book handy (Yes, free PDF available of the whole book): http://www.phpreferencebook.com - DareD, on 03/02/2009, -0/+7Nothing beats a dying server for a "20 best any-technology" list!!!
- RocketGib, on 03/02/2009, -1/+7"Error Establishing a Database Connection" is the best PHP Component out there.
- skztr, on 03/02/2009, -0/+5There isn't any validation, so you can delete arbitrary comments. Okay, security hole, granted.
but XSS? I challenge you, or your cat, to write either of these in PHP:
- any demonstration of an XSS vulnerability of any code (you can write every single line of code, do whatever you want to it) in which the input parameters are only ever used in a DELETE query (aside from having their existence checked for).
- any demonstration of an XSS vulnerability of any code (as before) in which whenever the input is used, in any context, it is cast to integer (aside from existence checking, as before)
Stupid and insecure, yeah, but an XSS hole it ain't. - ucffool, on 03/02/2009, -0/+4The joys of mod_rewrite could make it look like that but it actually be a dynamic PHP page.
Also, if you get dugg, you would want a static HTML cache as well so it doesn't go down (this site did, but then they got it back up).
So, um, you're wrong. :) - MarkVaughn, on 03/02/2009, -0/+4@eanbowman unless you've made an actual web application in C#, you will fail to see the benefits. While you see it as something "just as good" as PHP, I've come to learn that execution of ASP .Net pages, when coded properly, load much faster than the equivalent PHP pages.
Having said that, PHP is regarded higher than ASP .Net due to the fact that it is much easier to develop a PHP application than an ASP .Net application, as well as the fact that there are countless supporting tutorials, code snippets and etc for PHP. With ASP .Net? Not so much. This is actually saddening, due to how robust and powerful ASP .Net is.
My first experience with ASP .Net sucked, I did not like it at all, especially with how much of a puzzle it seemed to be to make a simple "hello world" page. But once you learn the "ropes", it is very easy and very, very powerful.
@ButterLoyalist you've no clue what .Net itself is, apparently. And that's fine. PHP 5.3 is no substitute for the .Net framework, so you might wish to rethink your statement. Also, if you've ever developed anything in C#, you'll come to realize the similarities of (yet vast advantages over) PHP. - dullnation, on 03/02/2009, -0/+4Not being a coder personally, but as someone who knows enough to throw a WP template together, what is the hole in this example?
- eanbowman, on 03/02/2009, -1/+4I just have a hate on for closed source creation tools. :|
I've made snippets in C# before. "My first service," and all that. I find it nothing special really. Hosting is expensive too. That said you aren't competing with thousands of other PHP users on your blade for CPU time. :P
Really the benefits aren't significant enough for me to want to move away from the most ubiquitous and time-tested language out there. These days developing for PHP is as easy as pie really with huge knowledge bases and a community of users just waiting to tell you how to secure your code. (lol close that hole ll4m4h!) - sg1fan, on 03/02/2009, -0/+3This is a great article... the 50 twitter tips for developers is kind of useless when you're making web pages for local small businesses. These are actually useful tools!
- arleym, on 03/02/2009, -0/+3Mirror?
- inactive, on 03/02/2009, -0/+3It is a big security hole yeah, needs to be escaped, but by casting the GET value to an int, would a quote still get through? I'd assume it'd get converted to it's numeric equivalent or something
- covertbadger, on 03/02/2009, -0/+3See above - I meant xsrf.
I dugg your comments up, by the way - not sure why you're being buried. - mootymoots, on 03/02/2009, -0/+3Nice to have my article featured at #11 http://www.reynoldsftw.com/2009/02/using-jquery-ph ... Thanks dude!
- robweber, on 03/02/2009, -0/+3While these tutorials are great for beginners; why not check out a PHP framework like CakePHP that does things like DB connections and pagination as part of the framework?
- covertbadger, on 03/02/2009, -0/+21) Oh sure, except when it's undefined (e.g. when casting a float that's outside the range of the int type). And whilst it doesn't make sense to cast 'skdgfalgfklahvkljb' to an int, php will do it anyway.
2) You're right, I mean xsrf.
3) The preparation is sufficient to prevent sql injection, which is an improvement that justifies its use. Ugly syntax is a given - this is php, after all. MDB2 makes it slightly less bad. And whilst I agree that all such code should be kept in a single separated layer, doing so would make the example significantly more complex. Code separation is something I think can be skimped on for the purposes of demonstration - code security is not. - ell0bo, on 03/02/2009, -0/+2yeah, all characters would get cast to int... strings would really be fun to throw at it due to the casting. I think at work I'm gonna have to see what in god's name happens there. I am guessing it'll just caste the first char and leave the rest as trash?
If you really wanna complain, complain that he's not using mysqli and isn't allowing for transactions. Granted, he's prolly just running an MyISAM table, but still. - covertbadger, on 03/02/2009, -1/+3And depending on what that numeric equivalent is, you've just deleted a comment you didn't mean to. Oops! Not to mention the fact that even my cat could write an xss attack against this code. Deleting from a GET?
- linuxpenguin, on 03/02/2009, -0/+2Well I haven't written all that much PHP code - but it's a webpage that is executing this code (well, a web server actually but whatever). If you're going to allow your pages to delete table contents, then you should at least put a piece of code to make sure it's an authenticated user that is trying to run this query. And it sounds like this code will not always make sure the ID is always an integer like it should be - so you need to have it check that.
- Chalks777, on 03/02/2009, -0/+2Some interesting things here. A few security holes (as mentioned above) though. The single greatest resource I can recommend to anyone looking to learn/improve their php skills is to join a forum that's dedicated to php. The best I've found is http://devnetwork.net I've learned a ton from some very impressive coders over there.
- Fallendown, on 03/02/2009, -0/+2I'm using jquery right now but I'll have to look at this moo tools.
- robweber, on 03/02/2009, -0/+2I think the bottom line with that example is that it is not securely written code. Putting the id for the value you are trying to erase in the GET parameter isn't good practice to begin with. Especially when deleting the data you should make sure that the person doing the deleting is authororized (some sort of login check).
It is a good, although dirty, example of how you can get some database code written in PHP for a beginner though. - linuxpenguin, on 03/02/2009, -0/+2Actually, that depends on how many hits it took and whether it's a home server or not. If it's some PC running in a dude's basement then I would expect it to go down. Digg is basically a DoS attack from thousands of different IPs
- swiftsam, on 03/02/2009, -0/+2Wow, that's actually a good collection of useful bits that aren't obvious. A rare find in this breed of articles
- eanbowman, on 03/02/2009, -0/+2JQuery is seriously a beautiful thing.
Before, when scripting for javascript you'd have to make your own wrappers (API?) for dealing with the differences between browsers.
Now I can just select and manipulate hypertext. You know, what you're actually supposed to be able to do in Javascript! Go figure! XD
That one innovation has sped up my development time probably tenfold in some cases. :P
Yeah I suck at Javascript... whatever. It's not just me. - phatfiend, on 03/02/2009, -0/+2You don't fill examples with data checking because it is a waste of time. When people read examples they want the basic functionality not the 20 lines of security code to make sure its not exploitable.
- ButterLoyalist, on 03/02/2009, -3/+5PHP 5.3 > .NET + C#
- Fallendown, on 03/02/2009, -0/+2I have Visual Studio 2008 Pro, I may have to give C# a try. I know I can use MySql with it, I had the connector once before
- covertbadger, on 03/02/2009, -0/+2@skrtz
See http://uk2.php.net/manual/en/language.types.intege ...
A couple of paragraphs to point out in particular. When dealing with floats:
"If the float is beyond the boundaries of integer (usually +/- 2.15e+9 = 2^31), the result is undefined, since the float doesn't have enough precision to give an exact integer result. No warning, not even a notice will be issued when this happens!"
This is dangerous, since php will automatically and silently convert to float if an integer operation causes an overflow ("if PHP encounters a number beyond the bounds of the integer type, it will be interpreted as a float instead"). So, if you pass in a large enough number here, it will be silently converted to a float before being cast to an int, with undefined results.
Furthermore, for source types other than those explicitly listed on the above page, we have this warning:
"The behaviour of converting to integer is undefined for other types."
All of this nastiness can go away with just a line or two of validation - is_int(), or for preference filter_input with the FILTER_VALIDATE_INT filter and a specified range. - Livewired, on 03/02/2009, -1/+3Smarty is crap. Why load in a seperate templating class when you are using a language originally built for templating?
- Livewired, on 03/06/2009, -0/+2...And that page is totally bunk:
1. If you don't know how to seperate business logic from your display without using smarty, you need to go back to PHP 101.
2. While it's true that programmers should be touching the application and designers should be in the templates, somewhere along the way, those lines cross during testing and before deployment. Developers are not stupid, and they can debug a broken foreach in a template without the designer holding they're hand. Likewise, for a designer to work with Smarty, they must have some sort of programming logic floating in the room upstairs, so it's not a stretch to say, "<?=$title?>" instead of "{title}".
3. Using smarty, you aren't able to use the nifty, "php -l <template.php>" to check for syntax errors (I know there are other unit tests for smarty, but why use a second, third party?) - covertbadger, on 03/02/2009, -0/+2@Xinil
"Using (int) versus intval() has no consequence on the application. Stop spouting like you guys know what you're talking about."
No consequence? OMFG. OK, which record will this delete?
foo.php?delete=sdkgfjksgkjashdglal
What about this one?
foo.php?delete=030
Or this one?
foo.php?delete=237569265106818068026356863476
Or this one?
foo.php?delete=NaN
Will these delete the same record?
foo.php?delete=1.99999999999999999 vs foo.php?delete=0.99999999999999999
Will all your answers be the same in the next version of php? How about the next patch release?
"With this, we can safely only delete the id's to which the user has access and such."
You're kidding, right? Even with your WHERE clause modification, the script is wide open. Put all the user verification on it you like - if you're logged in and I can trick you into loading a page on my site, I can delete YOUR data to my heart's content.
If you think a user ID check is all that is needed to fix this code, please don't ever work on any code where security or even basic engineering quality is important. Stick to hobby coding. - skztr, on 03/03/2009, -0/+1I expected that was the line you were referring to. However:
"result is undefined" is not the same as "result is not an integer". PHP doesn't have an "undefined" type, so the result is still an integer.
Your argument might be valid if it were true that PHP attempts to convert to integer, which fails and so converts to float, then converts back to integer, but that's just not how it works. Given the simple expression (int)$foo, [not (int)($foo/$bar) !], the only thing that happens is a conversion to an integer. If the result doesn't fit into an integer, it still winds up being an integer.
PHP blows for numerous reasons, but if you cast any variable to int, you'll always get an int. If you cast any $_GET variable to int, you'll always get an int based on the string which all $_GET variables are, or 0 if it couldn't convert. It's crappy, but it's completely safe. - MagicBobert, on 03/03/2009, -0/+1+1 for Livewired. There's not point in using a templating language on top of a templating language.
- crocodilu2008, on 11/04/2009, -0/+1PHP Tutorials ,examples http://www.navioo.com/php/tutorials/
- BHSPitMonkey, on 03/03/2009, -0/+1You may be right, but that doesn't mean it's good or justifiable.
- covertbadger, on 03/03/2009, -0/+1"I never said anything about deleting the same record."
Nice dodge on the consequences of using (int) or intval. Decided not to address that one after seeing how many problems it can cause, huh? Or have you decided that it's no big deal when a site is asked to delete one thing and decides to go delete something else entirely? Is that reasonable behaviour in your expert opinion?
"Oh, you're going to trick me in to going to your page? Really? Wow, that'll be fun."
I see, so your way of dismissing cross-site attacks is to dismiss them as boring? Real mature. Doesn't reduce the risk though.
"That's a completely different security hazard."
The fact that it has multiple hazards is kind of my whole point. The fact that you're actually defending this code is, frankly, hilarious.
"Provide concrete evidence (code) on why the script is "wide open," or don't bother commenting."
I've already provided multiple examples of how the int cast is, at the very least, highly unpredictable. I'm not going to waste my time demonstrating an xsrf attack, you already know what it involves. It's not my fault if you're too unprofessional to regard it as a serious problem. - kevmaster, on 06/01/2009, -0/+1Be sure to checkout 400+ PHP functions ported to JavaScript
http://phpjs.org/functions/index - findhostcoupons, on 03/22/2009, -0/+1I am beginning PHP programming and found this article very useful to read!
- waterandfood, on 03/06/2009, -0/+1The (int) is fine. (int) 'foobar' becomes an integer which here is 0. Now, if you can come up with SQL to inject that's also an integer... well, that'd be impressive :)
- inactive, on 03/19/2009, -0/+1very useful! thanks
- Livewired, on 03/02/2009, -0/+1We started out using moo tools a while back, then, in a minor release, they change every method name, and the order of parameters. Turned me off from them for good. Jquery is awesome; lots of plugins.
-
Show 51 - 80 of 80 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is