Sometimes it seems to be a good idea to use available Software with a suitable common license in your projects. It can save time and using a well tested backend sounds like a great idea... BUT:
Check what you use VERY CAREFULLY. I for my part used the PHPWiki as a backend for kind of a "poor mans content management" system, but while expanding some features, i stumbled over a potential security risk.
The PHPWiki imports Get & Post data into variables, without setting any prefix. The command used is import_request_variables() - you can look it up in the php docs - and what it does is to link the $_GET and $_POST autoglobals to variables named after the array keys.
Since in this case no prefix is used, the security risk is obvious:
ANYONE can set ANY variable by adding "$varname=varcontent" to the url calling your page.
This does not nescessarily mean that using the PHPWiki out of the box has to be unsafe. As long as all variables are set before use ALL THE TIME, nothing will happen, since the variables will be overwritten.
But i will give an example how it could happen:
Imagine there is a snippet in your code which looks like:
if the user calls the page with "http://yourpage.tld?anyvar=anytext", he will set $_GET['anyvar'] to "anytext". Importing the request variables will create a reference for $anyvar to the content of $_GET['anyvar'], which means that when the code snippet above is executed, the variable will be set and NOT be overwritten. So if your code works with such constructs (PHPWiki does), your script can be manipulated on runtime.
So if you want to do yourself a favor: NEVER USE ANY CODE YOU DON'T ENTIRELY UNDERSTAND.
By the way: the former way to use Globals in PHP is deprecated for a reason. So if you code something yourself, stay away from functions like import_request_variables(), if you don't have a very good reason why you have to use them (none comes to my mind apart from being a bit lazy).
Regards, Stefan
Check what you use VERY CAREFULLY. I for my part used the PHPWiki as a backend for kind of a "poor mans content management" system, but while expanding some features, i stumbled over a potential security risk.
The PHPWiki imports Get & Post data into variables, without setting any prefix. The command used is import_request_variables() - you can look it up in the php docs - and what it does is to link the $_GET and $_POST autoglobals to variables named after the array keys.
Since in this case no prefix is used, the security risk is obvious:
ANYONE can set ANY variable by adding "$varname=varcontent" to the url calling your page.
This does not nescessarily mean that using the PHPWiki out of the box has to be unsafe. As long as all variables are set before use ALL THE TIME, nothing will happen, since the variables will be overwritten.
But i will give an example how it could happen:
Imagine there is a snippet in your code which looks like:
Code:
if (!isset($anyvar)) dothisandthat($parameters);if the user calls the page with "http://yourpage.tld?anyvar=anytext", he will set $_GET['anyvar'] to "anytext". Importing the request variables will create a reference for $anyvar to the content of $_GET['anyvar'], which means that when the code snippet above is executed, the variable will be set and NOT be overwritten. So if your code works with such constructs (PHPWiki does), your script can be manipulated on runtime.
So if you want to do yourself a favor: NEVER USE ANY CODE YOU DON'T ENTIRELY UNDERSTAND.
By the way: the former way to use Globals in PHP is deprecated for a reason. So if you code something yourself, stay away from functions like import_request_variables(), if you don't have a very good reason why you have to use them (none comes to my mind apart from being a bit lazy).
Regards, Stefan