sorry, just realized this was a PHP question. I'll post there

Discussion in 'PHP' started by sem-profiteer, Sep 2, 2016.

0
  1. #1
    My hosting company says that code to echo a string is no longer safe. register_globals being enabled will fix this; however enabling this is strongly discouraged for security reasons.

    This is what I have been using:

    website.com?keyword=1234

    <?php echo $keyword; ?>

    with the results of being "1234".

    What is the modern secure way to echo?
     
    sem-profiteer, Sep 2, 2016 IP
  2. Anveto

    Anveto Well-Known Member

    Messages:
    697
    Likes Received:
    40
    Best Answers:
    19
    Trophy Points:
    195
    #2
    You never want to trust user input. In this case I can manipulate the page output and make your website show any content I would like it to show basically :)

    website.com?keyword=<script>alert('hola')</script>

    Of course there are lots of ways to do this as you can see here https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

    What you will need to do is escape the data with something like htmlspecialchars, striptags, etc.

    There is no way to be 100% secure when doing this though, you can read about it here http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php
     
    Anveto, Sep 3, 2016 IP
  3. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #3
    Well. Maybe not 100%, but close enough. The stackoverflow link is quite informative. Regardless, outputting unfiltered user input is always a bad idea.
     
    PoPSiCLe, Sep 3, 2016 IP
  4. sarahk

    sarahk iTamer Staff

    Messages:
    28,807
    Likes Received:
    4,534
    Best Answers:
    123
    Trophy Points:
    665
    #4
    I'm still stuck on not being allowed to use "echo".
    They've told you that?
     
    sarahk, Sep 3, 2016 IP
  5. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #5
    I think it's not the echo itself, but the fact that the echo outputs a direct $_GET variable by using the keyword (which isn't even available if they set up the server properly).
     
    PoPSiCLe, Sep 4, 2016 IP
    Anveto likes this.
  6. ThePHPMaster

    ThePHPMaster Well-Known Member

    Messages:
    737
    Likes Received:
    52
    Best Answers:
    33
    Trophy Points:
    150
    #6
    There are 2 types of data you can do, GET and POST. GET comes from the url params (or form element with GET method) while POST from the form elements with POST method.

    If you have:

    

website.com?keyword=1234
    Code (markup):
    This would work:

    

echo $_GET['keyword'];
    Code (markup):
    If you have:

    

<input type="text"value="1234" name="keyword" id="keyword" />
    Code (markup):
    This would work:

    

echo $_POST['keyword'];
    Code (markup):
     
    ThePHPMaster, Sep 4, 2016 IP
  7. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #7
    Yes. And if you have set up globals, you can just do 
     
echo $keyword;
    Code (markup):
    As the OP states that he does. Which is abysmally bad.
     
    PoPSiCLe, Sep 4, 2016 IP
  8. NaughtySpider

    NaughtySpider Peon

    Messages:
    10
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    3
    #8
    You should disable register_globals. Read this: http://php.net/manual/en/security.globals.php and you will get the idea.
     
    NaughtySpider, Sep 11, 2016 IP
  9. Einheijar

    Einheijar Well-Known Member

    Messages:
    539
    Likes Received:
    13
    Best Answers:
    3
    Trophy Points:
    165
    #9
    Or if you're lazy you can use $_REQUEST which checks for both GET and POST. Useful for debugging forms :p
     
    Einheijar, Oct 2, 2016 IP