Menu
▾
▴
phpesp-devel
|
From: Matthew G. <gr...@mu...> - 2002-03-28 19:26:16
|
I need a way for users to publish their surveys that doesn't require
the user or the administrator to create a php include.
It can be very simple to start with, but I could see adding a user
definable CSS as an easy addition, before we make the transition into
XML/XLT.
I understand the risks of accepting "tainted" user input.
So what's wrong with this:
<?php $sid=intval($id); include("/blah/public/handler.php");?>
$id has been "un-tainted" with intval.
--
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars
|
|
From: James E. F. <jf...@ac...> - 2002-03-28 19:54:20
|
On Thu, 28 Mar 2002, Matthew Gregg wrote:
> I need a way for users to publish their surveys that doesn't require
> the user or the administrator to create a php include.
> It can be very simple to start with, but I could see adding a user
> definable CSS as an easy addition, before we make the transition into
> XML/XLT.
>
> I understand the risks of accepting "tainted" user input.
> So what's wrong with this:
> <?php $sid=intval($id); include("/blah/public/handler.php");?>
>
> $id has been "un-tainted" with intval.
That is fine. The only issue is of course that people (web
users) can try different id's -- that is not necessarily a
problem, I just wanted to keep the SID hidden from the
user. But as you may have noticed, I handled the "test.php"
on the demo site the way you suggested above. In fact here
is the actual code:
<?php
$my_sid = $HTTP_GET_VARS['sid'];
unset ($HTTP_GET_VARS['sid']);
$sid = intval($my_sid);
$my_res = $HTTP_GET_VARS['results'];
unset ($HTTP_GET_VARS['results']);
$results = $my_res;
echo ("<tt>sid = $sid</tt><hr>\n");
include('handler.php');
echo ("<hr>\n");
if (isset($errmsg))
echo $errmsg;
?>
Note that the handler will give a "Security violation" if
either $HTTP_GET_VARS['sid'] or $HTTP_GET_VARS['results']
is set.
-James
|
|
From: Matthew G. <gr...@mu...> - 2002-03-30 19:25:17
|
On Thu, Mar 28, 2002 at 02:54:14PM -0500, James E. Flemer wrote:
> On Thu, 28 Mar 2002, Matthew Gregg wrote:
>
> > I need a way for users to publish their surveys that doesn't require
> > the user or the administrator to create a php include.
> > It can be very simple to start with, but I could see adding a user
> > definable CSS as an easy addition, before we make the transition into
> > XML/XLT.
> >
> > I understand the risks of accepting "tainted" user input.
> > So what's wrong with this:
> > <?php $sid=intval($id); include("/blah/public/handler.php");?>
> >
> > $id has been "un-tainted" with intval.
>
> That is fine. The only issue is of course that people (web
> users) can try different id's -- that is not necessarily a
> problem, I just wanted to keep the SID hidden from the
> user.
A thought here:
Instead of sequential why not increment SID by a larger increment and/or
perhaps add some randomness.
It would be harder for "Joe User" to try other surveys.
Of course this would add some complexity since we couldn't use mysql's
auto_increment.
--
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars
|
|
From: James E. F. <jf...@ac...> - 2002-03-30 19:42:36
|
On Sat, 30 Mar 2002, Matthew Gregg wrote:
>
> A thought here:
> Instead of sequential why not increment SID by a larger increment and/or
> perhaps add some randomness.
> It would be harder for "Joe User" to try other surveys.
>
> Of course this would add some complexity since we couldn't use mysql's
> auto_increment.
Well, I think the complexity would be excessive just to
"hide" the SID, but it made me think of a better solution.
Rather than having the "auto-template" (as I will call it)
use the SID as the key we could have it use the survey
"name" (or even "title"). So the auto-template would look
more like this:
...
$sid = -1;
$_name = XADDSLASHES($_REQUEST['name']);
if ($result = mysql_query(
"SELECT id FROM survey WHERE name = '$_name'"))
{
if (mysql_num_rows($result) > 0)
$sid = mysql_result($result, 0, 0);
mysql_free_result($result);
}
...
This would still make "name" publicly visable, but guessing
a name is much "harder" than {in,de}crementing the SID.
Or perhaps the auto-template could range check the SID, or
use some other verification.
-James
|
|
From: Matthew G. <gr...@mu...> - 2002-03-30 22:36:29
|
Yeah. Survey Name is already forced to be unique and I think it's
sufficiently random. I will proceed with the "auto_template" using
that as the "key".
On Sat, Mar 30, 2002 at 02:42:31PM -0500, James E. Flemer wrote:
> On Sat, 30 Mar 2002, Matthew Gregg wrote:
> >
> > A thought here:
> > Instead of sequential why not increment SID by a larger increment and/or
> > perhaps add some randomness.
> > It would be harder for "Joe User" to try other surveys.
> >
> > Of course this would add some complexity since we couldn't use mysql's
> > auto_increment.
>
> Well, I think the complexity would be excessive just to
> "hide" the SID, but it made me think of a better solution.
> Rather than having the "auto-template" (as I will call it)
> use the SID as the key we could have it use the survey
> "name" (or even "title"). So the auto-template would look
> more like this:
>
> ...
> $sid = -1;
> $_name = XADDSLASHES($_REQUEST['name']);
> if ($result = mysql_query(
> "SELECT id FROM survey WHERE name = '$_name'"))
> {
> if (mysql_num_rows($result) > 0)
> $sid = mysql_result($result, 0, 0);
> mysql_free_result($result);
> }
> ...
>
> This would still make "name" publicly visable, but guessing
> a name is much "harder" than {in,de}crementing the SID.
>
> Or perhaps the auto-template could range check the SID, or
> use some other verification.
>
> -James
>
--
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X