PHP Utils functions

PHP Utils functions

am 02.04.2008 18:32:18 von Aaron Gray

I just wanted to share some useful PHP functions that I have written while
developing an application.

http://www.cybercomms.org/PHP/utils.inc

The .inc filename is just so it can be viewed, I use .php for include files
usually.

~~~~~~~~~~~~~~ utils.php ~~~~~~~~~~~~~~~~

function isValidPost()
{
if ( $_SERVER['REQUEST_METHOD'] == 'POST')
{
$referer = isset( $_SERVER['HTTP_REFERER']) ?
$_SERVER['HTTP_REFERER'] : "";
return (( parse_url( $referer, PHP_URL_HOST) ==
$_SERVER['HTTP_HOST']) &&
( parse_url( $referer, PHP_URL_PATH) ==
$_SERVER['PHP_SELF']));
}
else
return false;
}

function getReferer()
{
return $_SERVER["HTTP_REFERER"];
}

function getPost( $var)
{
return (isset( $_POST[ $var]) ? $_POST[ $var] : "");
}

//

function getParam( $param)
{
return (isset( $_GET[ $param]) ? $_GET[ $param] : "");
}

function getBaseDirectory()
{
return dirname( $_SERVER['SCRIPT_FILENAME']);
}

function getParamsFromURL( $url)
{
parse_str( parse_url( $url, PHP_URL_QUERY), $params);
return $params;
}

?>

Re: PHP Utils functions

am 02.04.2008 18:37:02 von Aaron Gray

"Aaron Gray" wrote in message
news:65hqojF2emkj8U1@mid.individual.net...
>I just wanted to share some useful PHP functions that I have written while
>developing an application.

> function getReferer()
> {
> return $_SERVER["HTTP_REFERER"];
> }

Changed to :-

function getReferer()
{
return isset( $_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : "";
}

Nothing like releasing something to find a bug or two :)

Aaron

Re: PHP Utils functions

am 02.04.2008 18:56:22 von Michael Fesser

..oO(Aaron Gray)

>I just wanted to share some useful PHP functions that I have written while
>developing an application.
>
> http://www.cybercomms.org/PHP/utils.inc
>
>The .inc filename is just so it can be viewed, I use .php for include files
>usually.
>
>~~~~~~~~~~~~~~ utils.php ~~~~~~~~~~~~~~~~
> >
>function isValidPost()
>{
> if ( $_SERVER['REQUEST_METHOD'] == 'POST')
> {
> $referer = isset( $_SERVER['HTTP_REFERER']) ?
>$_SERVER['HTTP_REFERER'] : "";
> return (( parse_url( $referer, PHP_URL_HOST) ==
>$_SERVER['HTTP_HOST']) &&
> ( parse_url( $referer, PHP_URL_PATH) ==
>$_SERVER['PHP_SELF']));
> }
> else
> return false;
>}

With this function I would never be able to post anything on your site.
The HTTP referrer is completely unreliable and should never be used for
things like above. Browsers don't have to send it and firewalls might
filter it out for security reasons.

Micha

Re: PHP Utils functions

am 02.04.2008 19:16:21 von Aaron Gray

"Michael Fesser" wrote in message
news:1ce7v35lr9hma8lnqlu7p91ecbt226eu82@4ax.com...
> .oO(Aaron Gray)
>
>>I just wanted to share some useful PHP functions that I have written while
>>developing an application.
>>
>> http://www.cybercomms.org/PHP/utils.inc
>>
>>The .inc filename is just so it can be viewed, I use .php for include
>>files
>>usually.
>>
>>~~~~~~~~~~~~~~ utils.php ~~~~~~~~~~~~~~~~
>> >>
>>function isValidPost()
>>{
>> if ( $_SERVER['REQUEST_METHOD'] == 'POST')
>> {
>> $referer = isset( $_SERVER['HTTP_REFERER']) ?
>>$_SERVER['HTTP_REFERER'] : "";
>> return (( parse_url( $referer, PHP_URL_HOST) ==
>>$_SERVER['HTTP_HOST']) &&
>> ( parse_url( $referer, PHP_URL_PATH) ==
>>$_SERVER['PHP_SELF']));
>> }
>> else
>> return false;
>>}
>
> With this function I would never be able to post anything on your site.

Right, for the app I am working on I donot want first or third parties
posting to the app.

> The HTTP referrer is completely unreliable and should never be used for
> things like above. Browsers don't have to send it and firewalls might
> filter it out for security reasons.

Okay, thanks, is there another method I can use to make sure it was my app
posting ?

Thanks Micha, good feedback.

Aaron

Re: PHP Utils functions

am 02.04.2008 21:44:59 von Aaron Gray

"Jerry Stuckle" wrote in message
news:-KudnXs9eMLhfW7anZ2dnUVZ_vrinZ2d@comcast.com...
> Aaron Gray wrote:
>> "Michael Fesser" wrote in message
>> news:1ce7v35lr9hma8lnqlu7p91ecbt226eu82@4ax.com...
>>> .oO(Aaron Gray)
>>>
>>>> I just wanted to share some useful PHP functions that I have written
>>>> while
>>>> developing an application.
>>>>
>>>> http://www.cybercomms.org/PHP/utils.inc
>>>>
>>>> The .inc filename is just so it can be viewed, I use .php for include
>>>> files
>>>> usually.
>>>>
>>>> ~~~~~~~~~~~~~~ utils.php ~~~~~~~~~~~~~~~~
>>>> >>>>
>>>> function isValidPost()
>>>> {
>>>> if ( $_SERVER['REQUEST_METHOD'] == 'POST')
>>>> {
>>>> $referer = isset( $_SERVER['HTTP_REFERER']) ?
>>>> $_SERVER['HTTP_REFERER'] : "";
>>>> return (( parse_url( $referer, PHP_URL_HOST) ==
>>>> $_SERVER['HTTP_HOST']) &&
>>>> ( parse_url( $referer, PHP_URL_PATH) ==
>>>> $_SERVER['PHP_SELF']));
>>>> }
>>>> else
>>>> return false;
>>>> }
>>> With this function I would never be able to post anything on your site.
>>
>> Right, for the app I am working on I donot want first or third parties
>> posting to the app.
>>
>>> The HTTP referrer is completely unreliable and should never be used for
>>> things like above. Browsers don't have to send it and firewalls might
>>> filter it out for security reasons.
>>
>> Okay, thanks, is there another method I can use to make sure it was my
>> app posting ?
>>
>> Thanks Micha, good feedback.
>>
>> Aaron
>>
>>
>>
>
> Aaron,
>
> Micha is correct. HTTP_REFERER is completely unreliable. Not only will
> it cause many of your existing users problems, it can be very easily faked
> and won't stop someone from posting via a third party app.

Its HTTP teritory I see.

> You could put a random string in a hidden field and in the session. When
> the form is posted, compare the two numbers.

Okay, that would do the job nicely.

Many thanks,

Aaron

Re: PHP Utils functions

am 02.04.2008 22:37:06 von Jerry Stuckle

Aaron Gray wrote:
> "Michael Fesser" wrote in message
> news:1ce7v35lr9hma8lnqlu7p91ecbt226eu82@4ax.com...
>> .oO(Aaron Gray)
>>
>>> I just wanted to share some useful PHP functions that I have written while
>>> developing an application.
>>>
>>> http://www.cybercomms.org/PHP/utils.inc
>>>
>>> The .inc filename is just so it can be viewed, I use .php for include
>>> files
>>> usually.
>>>
>>> ~~~~~~~~~~~~~~ utils.php ~~~~~~~~~~~~~~~~
>>> >>>
>>> function isValidPost()
>>> {
>>> if ( $_SERVER['REQUEST_METHOD'] == 'POST')
>>> {
>>> $referer = isset( $_SERVER['HTTP_REFERER']) ?
>>> $_SERVER['HTTP_REFERER'] : "";
>>> return (( parse_url( $referer, PHP_URL_HOST) ==
>>> $_SERVER['HTTP_HOST']) &&
>>> ( parse_url( $referer, PHP_URL_PATH) ==
>>> $_SERVER['PHP_SELF']));
>>> }
>>> else
>>> return false;
>>> }
>> With this function I would never be able to post anything on your site.
>
> Right, for the app I am working on I donot want first or third parties
> posting to the app.
>
>> The HTTP referrer is completely unreliable and should never be used for
>> things like above. Browsers don't have to send it and firewalls might
>> filter it out for security reasons.
>
> Okay, thanks, is there another method I can use to make sure it was my app
> posting ?
>
> Thanks Micha, good feedback.
>
> Aaron
>
>
>

Aaron,

Micha is correct. HTTP_REFERER is completely unreliable. Not only will
it cause many of your existing users problems, it can be very easily
faked and won't stop someone from posting via a third party app.

You could put a random string in a hidden field and in the session.
When the form is posted, compare the two numbers.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================