NYCPHP Meetup

NYPHP.org

[nycphp-talk] JavaScript List?

Analysis & Solutions danielc at analysisandsolutions.com
Wed Jul 24 02:03:32 EDT 2002


Hi Folks:

I promise the following will be my final foray on this subject... :)

First, I'm sorry if I've come off as nasty.  That's certainly not my
intention.  But I _really_ don't like JavaScript.  Allow me to clarify
exactly why.

JS has opened up a wide array of vulnerabilities.  Putting the words
"javascript" and "vulnerability" into Google brought up over 31,000 hits:
http://www.google.com/search?q=javascript+vulnerability.  The bugs include
situations where the JS engine in the browser has flaws that cause
exploitable crashes.  Other problems arise from nasty scripts doing
nepharious things, such as cross-site scripting vulnerabilities.  
Cross-site errors have arisen in notable programs such as Cold Fusion and
PHPNuke.  Here are some searches on this matter...

http://www.google.com/search?q=php+cross+site+scripting+vulnerability
brought back 6,800 hits.

http://online.securityfocus.com/search?submit=yes&category=23&order=DESC&query=cross%20site%20scripting
landed 237 pages.

So, this is not a small problem. The best way to keep such things from
happening is to keep JavaScript turned off.  I do.

The problem arises when landing on websites that require JS in order to do
essential things like click on hyperlinks, forward users to other pages or
submit forms.  While instances of JS can be convenient for the developers
and often provide a pretty interface, they needlessly restrict the
usefulness of the site.

These simple cross-site scripting vulnerabilities bring me back to an
earlier post:

On Fri, Jul 19, 2002 at 11:46:44AM -0400, Jim Hendricks wrote:
> That
> doesn't mean I can forget about security, it's just that why build Fort 
> Knox
> to ensure
> someone doesn't steal my penny?

I'd consider a web discussion forum to be down in that low economic impact
area.  But, if the system doesn't check user input on the server before
saving it, users can get unpleasant cross-site coding saved that will
spring up every time someone views their posting.  This has no economic
impact on the server or the people running it, but it poses problems for
the people viewing the site.  So, pennies need to be protected.


On Fri, Jul 19, 2002 at 03:04:59PM -0400, Benjamin Stiglitz wrote:
>
> While I don't disagree with the post, I'd just like to point out the the
> PHP MySQL functions (I don't know about other databases) will only
> process the first SQL statement passed, preventing such exploits.

True for now.  But, there's no guarantee that'll always be the case -- be
it intentional or mistakenly.


On Fri, Jul 19, 2002 at 05:28:50PM -0400, Jim Hendricks wrote:
>
> Yes. And there are every other possiblity as well.  I would hate to see 
> the 
> code that deals with every possiblity.

I don't see what's the big deal about doing some basic validation for each
bit of user input.  Here's my basic method:

   #  Start out by creating an array to hold problem notices.
   $Probs = array();

   #  Now, examine the various variables submitted.
   #  For example, check $Data to see that it's an integer.
   #  I do the substr() to keep the possible points of
   #  overflow failure down to one simple function.
   $Data = substr($Data, 0, 6);
   if ( !preg_match('/^[0-9]{1,6}$/', $Data) ) {
      $Probs[] = 'Data was not an integer';
   }

   #  Finally, before inserting the data into your system,
   #  make sure there weren't any problems.
   if ( empty($Probs) ) {
      #  Life is good.  Proceed.
   } else {
      #  Ya got a problem.
      echo 'There were problems...<ul>';
      while ( list(,$Prob) = each($Probs) ) {
         echo "<li>$Prob</li>\
";
      }
      echo '</ul>';
   }

This process is really simple and eliminates all data corruption.
In my eyes, it's so easy, there's no reason not to do it.


On Fri, Jul 19, 2002 at 05:28:50PM -0400, Jim Hendricks wrote:
>
> Especially when this thread was started
> by
> a request for a newsgroup which deals in Javascript.

Yep.  And, as it turns out, it seems Steve went with a JavaScript answer
despite both you and I put forth PHP based solutions.  Now there's one
more page on the net that's inaccessible to those w/o JS.

Anyway, ENOUGH!  Hope to see some of you on Wednesday.

--Dan

-- 
               PHP classes that make web design easier
        SQL Solution  |   Layout Solution   |  Form Solution
    sqlsolution.info  | layoutsolution.info |  formsolution.info
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7 Av #4AJ, Brooklyn NY     v: 718-854-0335     f: 718-854-0409



More information about the talk mailing list