Err Posted January 22, 2010 Share Posted January 22, 2010 I just want to know. What is the difference between individually accessing a POST, rather than using the extract() function? The submitted POST arrays are all going to be accessed either way, so why not just extract everything? It is more safe or faster to do the former?Edit: The forum lowercased my title. Link to comment Share on other sites More sharing options...
justsomeguy Posted January 22, 2010 Share Posted January 22, 2010 It presents a security issue when you use extract. Assume that someone knew how your application worked, maybe they've seen the source code or something. They could create their own post request to one of your pages and submit a value that they know you have a variable for something else, like $logged_in, or $is_admin, or something like that. If you extract the variables then you'll overwrite your own variables with whatever names they decided to submit.Here you go, a real-world example:http://secunia.com/advisories/31394/http://e107designs.org/news.php?item.108.4And here's how they use that to get the list of passwords for the server your script is running on:http://www.milw0rm.com/exploits/7525 Link to comment Share on other sites More sharing options...
Err Posted January 22, 2010 Author Share Posted January 22, 2010 Wouldn't extract($_POST, EXTR_SKIP) disallow that type of behavior? Wouldn't it be safe then? Link to comment Share on other sites More sharing options...
Synook Posted January 22, 2010 Share Posted January 22, 2010 That would prevent the overwriting of values, however you still risk setting things you otherwise wouldn't want to, something that e.g. may be used later in a condition involving isset(). It is always safer to approach security from a restrictive point of view - only let in what is necessary. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.