Discussion:
is this if secure?
(too old to reply)
Netman
2014-05-28 18:15:41 UTC
Permalink
Hello again!

is this code secure?

if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php");
}


Is it secure in your opinion?

Regards
K.
Jerry Stuckle
2014-05-28 18:23:07 UTC
Permalink
Post by Netman
Hello again!
is this code secure?
if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php");
}
Is it secure in your opinion?
Regards
K.
Yes, this code is secure (I don't know about anything else you might be
doing).

But unless you're writing a CMS, why not just allow direct access to the
pages?
--
==================
Remove the "x" from my email address
Jerry Stuckle
***@attglobal.net
==================
Netman
2014-05-28 18:25:50 UTC
Permalink
Użytkownik "Jerry Stuckle" napisał w wiadomości grup
Post by Netman
Hello again!
is this code secure?
if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php");
}
Is it secure in your opinion?
Regards
K.
Yes, this code is secure (I don't know about anything else you might be
doing).

But unless you're writing a CMS, why not just allow direct access to the
pages?
--
==================
Remove the "x" from my email address
Jerry Stuckle
***@attglobal.net
==================

Ok thank you.

My answer to your question: because it takes a longer code :)
Jerry Stuckle
2014-05-28 18:31:15 UTC
Permalink
Post by Netman
Użytkownik "Jerry Stuckle" napisał w wiadomości grup
Post by Netman
Hello again!
is this code secure?
if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php");
}
Is it secure in your opinion?
Regards
K.
Yes, this code is secure (I don't know about anything else you might be
doing).
But unless you're writing a CMS, why not just allow direct access to the
pages?
That could be - but it won't stop someone from trying to load
www.example.com/test.php on their own.

THAT could be an exposure.
--
==================
Remove the "x" from my email address
Jerry Stuckle
***@attglobal.net
==================
Gordon Freeman
2014-05-29 23:26:36 UTC
Permalink
Post by Jerry Stuckle
Post by Netman
Hello again!
is this code secure?
if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php"); }
Is it secure in your opinion?
Regards
K.
Yes, this code is secure (I don't know about anything else you might be
doing).
One thing I am never sure about is when such an expression would be
susceptible to the bug whereby the arguments are coerced to integers, ie.
suppose someone submits "action" set to 0, then we would be evaluating

0 == "test"

doesn't this then cause php to evaluate "test" as an integer too, with
value 0, so the test suceeds with 0 == 0? If that happened then we would
surely end up with a statement include("0.php")
--
_______________________________________________________

Facts are stubborn, but statistics are more pliable.
_______________________________________________________
Jerry Stuckle
2014-05-30 00:27:39 UTC
Permalink
Post by Gordon Freeman
Post by Jerry Stuckle
Post by Netman
Hello again!
is this code secure?
if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php"); }
Is it secure in your opinion?
Regards
K.
Yes, this code is secure (I don't know about anything else you might be
doing).
One thing I am never sure about is when such an expression would be
susceptible to the bug whereby the arguments are coerced to integers, ie.
suppose someone submits "action" set to 0, then we would be evaluating
0 == "test"
doesn't this then cause php to evaluate "test" as an integer too, with
value 0, so the test suceeds with 0 == 0? If that happened then we would
surely end up with a statement include("0.php")
Hi, Gordon,

In some cases that would be a realistic concern. However, since all
$_GET, $_POST, etc. variables are returned as strings (even if the
contents were "0", it's not much of a worry here.
--
==================
Remove the "x" from my email address
Jerry Stuckle
***@attglobal.net
==================
r***@hotmail.com
2020-03-16 11:32:25 UTC
Permalink
Post by Netman
Hello again!
is this code secure?
if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php");
}
Is it secure in your opinion?
Regards
K.
Everything depends...But I guess it's right, when you have everything set up correctly.


Kristjan Robam
J.O. Aho
2020-03-16 19:46:51 UTC
Permalink
Post by r***@hotmail.com
Post by Netman
Hello again!
is this code secure?
if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php");
}
Is it secure in your opinion?
Everything depends...But I guess it's right, when you have everything set up correctly.
The code is insecure already back in 2014. Even if you feel bored in the
closed down Estonia due of the sars-cov-2 virus, you don't have to
replay all old posts you find with help of google groups.
--
//Aho
😉 Good Guy 😉
2020-03-16 20:02:54 UTC
Permalink
Post by J.O. Aho
Post by r***@hotmail.com
Post by Netman
Hello again!
is this code secure?
if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php");
}
Is it secure in your opinion?
Everything depends...But I guess it's right, when you have everything set up correctly.
The code is insecure already back in 2014. Even if you feel bored in
the closed down Estonia due of the sars-cov-2 virus, you don't have to
replay all old posts you find with help of google groups.
Send him an email to notify him that he is responding to old posts where
the original posters might have died and not able to read any of them.
There is newsgroup after death!!!
--
With over 1.2 billion devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.
Kristjan Robam
2020-03-19 17:12:26 UTC
Permalink
On
kolmapäev, 28. mai 2014 21:15.41 UTC+3
Hello again!
is this code secure?
if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
     include($_GET["action"].".php");
}
Is it secure in your opinion?
Everything depends...But I guess it's right, when you have
everything set up correctly.
The code is insecure already back in 2014. Even if you feel bored
in the closed down Estonia due of the sars-cov-2 virus, you don't
have to replay all old posts you find with help of google groups.
Send him an email to notify him that he is responding to old posts
where the original posters might have died and not able to read any
of them.   There is newsgroup after death!!!
I have already died, I'm on the second life....



Kristjan Robam
--
With over 1.2 billion devices now
running Windows 10, customer satisfaction is higher than any
previous version of windows.
Kristjan Robam
2020-03-19 17:11:14 UTC
Permalink
Post by J.O. Aho
Post by r***@hotmail.com
Post by Netman
Hello again!
is this code secure?
if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php");
}
Is it secure in your opinion?
Everything depends...But I guess it's right, when you have everything set up correctly.
The code is insecure already back in 2014. Even if you feel bored in the
closed down Estonia due of the sars-cov-2 virus, you don't have to
replay all old posts you find with help of google groups.
--
//Aho
Hi Aho....
I am only using google groups. I don't use other programs. This solutions seems to be the best in my opinion so far.


Kristjan Robam
J.O. Aho
2020-03-19 17:46:07 UTC
Permalink
Post by Kristjan Robam
I am only using google groups.
I don't use other programs. This solutions seems to be the best in my opinion so far.
Yes, we have noticed, you ain't the only one who uses google groups and
treat the user groups as it was some kind of web based forum.

Please avoid replying on threads that are years old, even if you think
the information there is useful for you, if you want to know something
more, then start a new thread and ask the questions you have.

Treat threads as a bit slower way of instant messaging and all the user
group users who don't use google groups would be a lot happier too.
--
//Aho
Kristjan Robam
2020-03-19 18:18:06 UTC
Permalink
Post by J.O. Aho
Post by Kristjan Robam
I am only using google groups.
I don't use other programs. This solutions seems to be the best in my opinion so far.
Yes, we have noticed, you ain't the only one who uses google groups and
treat the user groups as it was some kind of web based forum.
Please avoid replying on threads that are years old, even if you think
the information there is useful for you, if you want to know something
more, then start a new thread and ask the questions you have.
Treat threads as a bit slower way of instant messaging and all the user
group users who don't use google groups would be a lot happier too.
--
//Aho
Ok Mr or Mrs Aho.


Kristjan Robam

Loading...