can list() in while loop, while printing things to a screen, somehow affect the values in an array?

[Agelmar]

lawrence wrote:
<snip>

> stamp.) (The host I'm on is running PHP 4.06, which I why I can't use
> $_COOKIE).

> $choiceMade = $_GET["choiceMade"];

> if ($choiceMade) {
> reset($HTTP_COOKIE_VARS);

I'm not going to spend all my time analyzing this, as you obviously have
multiple other functions and objects not shown, BUT, I will point this out -
if you're having wierd problems with choiceMade, it's probably because of
this above. You say that the server is PHP 4.0.6, then $choiceMade =
$_GET['choiceMade'] is not going to work... $choiceMade will not get the
value you want (unless you are actually manually constructing $_GET
somewhere...). Give it a shot with $choiceMade =
$HTTP_GET_VARS['choiceMade']; and see if that solves anything.

// Ian Fette
// Proponent comp.lang.php

[Andy Hassall]

On Sat, 12 Jul 2003 19:21:32 GMT, "Jason" <jsumner1@cfl.rr.com> wrote:

>Try choiceMade() and not $choiceMade(). "$" is for variables.

He's doing a variable function call.

(Which is sheer lunacy from a form variable, but valid syntax nonetheless).

--
Andy Hassall (andy@andyh.co.uk) icq(5747695) ([url]http://www.andyh.co.uk[/url])
Space: disk usage analysis tool ([url]http://www.andyhsoftware.co.uk/space[/url])

[lawrence]

Andy Hassall <andy@andyh.co.uk> wrote in message news:<iao0hvo5334e94v10bks47dte5s8ofrqej@4ax.com>. ..

> On Sat, 12 Jul 2003 19:21:32 GMT, "Jason" <jsumner1@cfl.rr.com> wrote:
>

> >Try choiceMade() and not $choiceMade(). "$" is for variables.

>
> He's doing a variable function call.
>
> (Which is sheer lunacy from a form variable, but valid syntax nonetheless).

Sheer lunacy from a security standpoint I assume. Which is why every
one of my functions starts with:

global $users;
$users->checkPermission();


Which makes sure the person has the authority to do what their trying
to do.

[Andy Hassall]

On 13 Jul 2003 06:35:31 -0700, [email]lkrubner@geocities.com[/email] (lawrence) wrote:

>Andy Hassall <andy@andyh.co.uk> wrote in message news:<iao0hvo5334e94v10bks47dte5s8ofrqej@4ax.com>. ..

>> On Sat, 12 Jul 2003 19:21:32 GMT, "Jason" <jsumner1@cfl.rr.com> wrote:
>>

>> >Try choiceMade() and not $choiceMade(). "$" is for variables.

>>
>> He's doing a variable function call.
>>
>> (Which is sheer lunacy from a form variable, but valid syntax nonetheless).

>
>Sheer lunacy from a security standpoint I assume.

Yep.

>Which is why every one of my functions starts with:
>
>global $users;
>$users->checkPermission();
>
>Which makes sure the person has the authority to do what their trying
>to do.

But in the code you posted you're not checking the value of $choiceMade,
you're going straight from input to executing it as a function.

If in the real code you're checking $choiceMade is one of a set of functions
that the user is allowed to execute, then fine.

--
Andy Hassall (andy@andyh.co.uk) icq(5747695) ([url]http://www.andyh.co.uk[/url])
Space: disk usage analysis tool ([url]http://www.andyhsoftware.co.uk/space[/url])

[lawrence]

Andy Hassall <andy@andyh.co.uk> wrote in message

> But in the code you posted you're not checking the value of $choiceMade,
> you're going straight from input to executing it as a function.
>
> If in the real code you're checking $choiceMade is one of a set of functions
> that the user is allowed to execute, then fine.

Thanks for the feedback. Believe me, this is an issue I've sweated
over. I'm paranoid someone will find a way in through this hole.

I think the answer to your question, if I read it correctly, is no, I
don't test the value of $choiceMade against a list of functions the
user can execute. Not before the function executes. I do so as the
funtion executes. The second line of every function is
$users->check(), to see if the user has permission to do that
function.

Suppose you go to monkeyclaus right now and type in an url like this:

[url]http://www.monkeyclaus.org/mcIncludes/mcControlPanel.php?choiceMade=printDeleteWeblogFor m[/url]

You are, with this url, attempting to hack into the site and execute
the function printDeleteWeblogsForm();

Before your code can execute the password and username are checked and
the login screen is printed, followed by die();

I admit, if you go here:

[url]http://www.monkeyclaus.org/index.php?choiceMade=printDeleteWeblogForm[/url]

You get an error message that I can't understand, and anything that I
can't understand regarding the security of the site makes me sweat.

My attitude is that this software is beta. That is how it is marked
and that is what I tell everyone - "The software is beta, I'm still
testing the security, don't be suprised if the site gets hacked."

For a year and half this software was for just one person, and then
the security was iron tight. Just last month I added a user system,
which has added a great deal of complexity, and also the possibilities
of security holes. I hope to find them all by the end of the summer.
When I feel pretty confident, and my friends have gone over the site
and tried to hack it and found no way in, then I'll stop calling it
"beta".




This is the function for deleting weblogs. Normally it would print a
list of all weblogs and ask which you wanted to delete:


function printDeleteWeblogForm($pageId=0) {
// 06-18-03 - today I've introduced the function deleteForm in the
forms class which comes close to providing a universal delete form
// for any of the entries in mcContentBlocks.
global $users, $forms;
$users->check();
$forms->deleteForm("weblogs");
}

[Andy Hassall]

On 13 Jul 2003 11:52:28 -0700, [email]lkrubner@geocities.com[/email] (lawrence) wrote:

>Andy Hassall <andy@andyh.co.uk> wrote in message

>> But in the code you posted you're not checking the value of $choiceMade,
>> you're going straight from input to executing it as a function.
>>
>> If in the real code you're checking $choiceMade is one of a set of functions
>> that the user is allowed to execute, then fine.

>
>Thanks for the feedback. Believe me, this is an issue I've sweated
>over. I'm paranoid someone will find a way in through this hole.
>
>I think the answer to your question, if I read it correctly, is no, I
>don't test the value of $choiceMade against a list of functions the
>user can execute. Not before the function executes. I do so as the
>funtion executes. The second line of every function is
>$users->check(), to see if the user has permission to do that
>function.

OK, I see.

However, my point is - what if choiceMade is used to execute a function that
you haven't written, and so you haven't put this security check in? Then it's
too late, the function is already running...

>Suppose you go to monkeyclaus right now and type in an url like this:
>
>[url]http://www.monkeyclaus.org/mcIncludes/mcControlPanel.php?choiceMade=printDeleteWeblogFor m[/url]
>
>You are, with this url, attempting to hack into the site and execute
>the function printDeleteWeblogsForm();
>
>Before your code can execute the password and username are checked and
>the login screen is printed, followed by die();

I can't off the top of my head think of a PHP function that takes no
parameters that could cause serious mischief. There may be one though, or maybe
another of your functions that you were never expecting to be called, and so
doesn't have the security check.

Consider if you ever added parameter support to your system; e.g.
'choiceMade=function&arg1=whatever' would call function("whatever"). At that
point you enter a whole world of pain, because you could call:

choiceMade=eval&arg1=<whatever PHP code you like>

If you limit choiceMade to only those functions that you have written and you
have added the security check to, then you avoid such problems.

Could be as simple as a global array containing all the functions, and then
use array_exists to check that $choiceMade is one of those designated
'OK-to-call' functions.

--
Andy Hassall (andy@andyh.co.uk) icq(5747695) ([url]http://www.andyh.co.uk[/url])
Space: disk usage analysis tool ([url]http://www.andyhsoftware.co.uk/space[/url])

[lawrence]

Andy Hassall <andy@andyh.co.uk> wrote in message

> I can't off the top of my head think of a PHP function that takes no
> parameters that could cause serious mischief. There may be one though, or maybe
> another of your functions that you were never expecting to be called, and so
> doesn't have the security check.
>
> Consider if you ever added parameter support to your system; e.g.
> 'choiceMade=function&arg1=whatever' would call function("whatever"). At that
> point you enter a whole world of pain, because you could call:
>
> choiceMade=eval&arg1=<whatever PHP code you like>
>
> If you limit choiceMade to only those functions that you have written and you
> have added the security check to, then you avoid such problems.
>
> Could be as simple as a global array containing all the functions, and then
> use array_exists to check that $choiceMade is one of those designated
> 'OK-to-call' functions.

You're right, I will implement an array listing all functions that can
be called. Thanks very much for thinking it through, you've been a
huge help.