PHP Security - Form Processing Server Side Data Filtering

24-Feb-08

When PHP programmers create a form with javascript client side filtering to collect information from web users, but most of them forgotten or ignore to do server side data filtering. The reasons given by them are simply because it is not important or it is too time consuming to write long PHP code to get the job done.

They do not know how critical it is until you see the following example. You will later appreciate the necessity of data filtering.

Consider a html form located at http://www.secure.com/form.html, with a select options, which confirms user do accept the terms and conditions or not :

<form action="process.php" method="POST">
	<select name="accept_terms">
		<option value="accept">Accept</option>
		<option value="refuse">Refuse</option>
	</select>
	<input type="submit"/>
</form>

Now imagine a attacker edit the above html and saves it as follows into their local box :

<form action="http://www.secure.com/process.php" method="POST">
	<input type="text" name="accept_terms">
	<input type="submit"/>
</form>

The form can be manipulated as desired, all the attacker needs is a web browser to post the form with the absolute URL where process.php resides.

This simple step will make it easy to eliminate client side restrictions. In this example, the attacker do not have to accept the terms and conditions. With a very simple procedure, any user can create a form that can be used to submit any data to the URL that processes the form.

Filed in php, security | Permalink | Comments (0) »

Bash by example - Introduction

24-Feb-08

Is this the first time you learn about bash? In this post, I will teach you how to write your first bash script using a simple example.

Let start with what is bash?
Bash (Bourne shell) is the shell, or command language interpreter, that will appear in most the *nix system. It offers functional improvements over sh (shell) for both programming and interactive use. In addition, most sh scripts can be run by bash without modification.

So why do you need to learn bash?
The answer is simple, by learning how to program in bash scripting, your daily interaction with *nix system is more fun as well as productive. A working knowledge of bash shell scripting is essential to anyone wishing to become reasonably proficient at *nix system administration.

Now using your favorite editor, let start create a script called helloworld.sh. By convention, bash shell script have name ending with .sh, but it is not requisite. Below shows a very short script that writes a message on the screen.

#!bin/bash
#
# This is my first bash shell script
# Kelvin
 
printf "Hello bash world! Bash is wonderfull."
 
exit 0

Save the file, and then run the./helloworld.sh from the command line.

You will see Hello bash world! Bash is wonderfull. printed out on the screen.

Congratulation, and welcome to the world of bash.

Filed in bash, linux | Permalink | Comments (0) »

Newer posts »
Home