question about safe

question about safe

am 27.01.2008 20:30:14 von Kamyk

Hello!

How to prevent from such try of attack of the website?

http://www.example.com/index.php?id=0?;print_r(glob('*'));ec ho%20%22

Thank you in advance for help
M.

Re: question about safe

am 27.01.2008 20:33:40 von luiheidsgoeroe

On Sun, 27 Jan 2008 20:30:14 +0100, MZ =
=

wrote:

> Hello!
>
> How to prevent from such try of attack of the website?
>
> http://www.example.com/index.php?id=3D0?;print_r(glob('*')); echo%20%22=


By just not running/eval()ing arbitrary code from outside? You'd really =
=

have to provide the mechanism for the hacker for this to work, it is not=
=

an inherent vulnerability of PHP.
-- =

Rik Wasmus

Re: question about safe

am 27.01.2008 20:37:56 von Kamyk

Uzytkownik "Rik Wasmus" napisal w wiadomosci
news:op.t5lsmesk5bnjuv@metallium.lan...
On Sun, 27 Jan 2008 20:30:14 +0100, MZ
wrote:

> Hello!
>
> How to prevent from such try of attack of the website?
>
> http://www.example.com/index.php?id=0?;print_r(glob('*'));ec ho%20%22

By just not running/eval()ing arbitrary code from outside? You'd really
have to provide the mechanism for the hacker for this to work, it is not
an inherent vulnerability of PHP.
--
Rik Wasmus

Hello Rik!

Sorry English language is not my national language.
Please explain to me in details this sentence:

By just not running/eval()ing arbitrary code from outside?

What do you mean by asking me it?

You said that is not the weakness of PHP. Do you mean that PHP is
such attacks proof?

Thank you and sorry for such question
M.

Re: question about safe

am 27.01.2008 20:44:25 von luiheidsgoeroe

> Uzytkownik "Rik Wasmus" napisal w =

> wiadomosci news:op.t5lsmesk5bnjuv@metallium.lan...
> On Sun, 27 Jan 2008 20:30:14 +0100, MZ l>
> wrote:
> Hello!
> How to prevent from such try of attack of the website?
> http://www.example.com/index.php?id=3D0?;print_r(glob('*')); echo%20%2=
2
> By just not running/eval()ing arbitrary code from outside? You'd real=
ly
> have to provide the mechanism for the hacker for this to work, it is n=
ot
> an inherent vulnerability of PHP.

On Sun, 27 Jan 2008 20:37:56 +0100, MZ =
=

wrote:
> Sorry English language is not my national language.
> Please explain to me in details this sentence:
>By just not running/eval()ing arbitrary code from outside?
> What do you mean by asking me it?
> You said that is not the weakness of PHP. Do you mean that PHP is
> such attacks proof?
> Thank you and sorry for such question

Yes, PHP will NOT execute code from the URL without you telling it to.
What you DO want to check for is SQL injection (google it).
-- =

Rik Wasmus

Re: question about safe

am 29.01.2008 21:33:49 von AnrDaemon

Greetings, MZ.
In reply to Your message dated Sunday, January 27, 2008, 22:30:14,

> How to prevent from such try of attack of the website?

> http://www.example.com/index.php?id=0?;print_r(glob('*'));ec ho%20%22

Do NOT trust any user input.
In this case, You DO HAVE trusted the variable passed by user (either the $_GET['id']
variable or whole parameter string)

Go check Your code for this exploit, it is Your mistake, not PHP weakness.

P.S.
If it is not Your own code, delete it and write it Yourself from scratch.


--
Sincerely Yours, AnrDaemon