Odd CURL problem Odd CURL problem - Page 2
Page 2 of 2 FirstFirst 12
Posts 11 to 18 of 18
  1. #11

    Double Godlike!

    xoggoth's Avatar
    Join Date
    Jul 2005
    Location
    xoggoth towers
    Posts
    12,983

    Default

    Cheers all. All the input has length limits and and strip_tags when taken by self post and the inputs are all hidden in the redirection page anyway. Think has all the security I can be bothered with.

    I am never keen on using third party libraries/packages, great until something goes wrong, then you have to grapple with masses of unfamiliar and mostly irrelevant code. Prefer to stick to my simple stuff. Database is regularly backed up, downloaded to Excel at 2 locations and orders are also in emails/paper invoices.
    bloggoth

    If everything isn't black and white, I say, 'Why the hell not?'
    John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

  2. #12

    My post count is Majestic

    NickFitz's Avatar
    Join Date
    Jun 2007
    Location
    Your local branch
    Posts
    44,649

    Default

    Quote Originally Posted by xoggoth View Post
    I am never keen on using third party libraries/packages, great until something goes wrong, then you have to grapple with masses of unfamiliar and mostly irrelevant code.
    The fact that after six months working with Symfony, in a department filled with extremely smart people who'd been working with it for a year or more who tried to help, I still had to get the bloke who'd invented it to come and fix it, suggests you have the right attitude

  3. #13

    More time posting than coding

    TheGreenBastard's Avatar
    Join Date
    Dec 2015
    Posts
    494

    Default

    Quote Originally Posted by NickFitz View Post
    The fact that after six months working with Symfony, in a department filled with extremely smart people who'd been working with it for a year or more who tried to help, I still had to get the bloke who'd invented it to come and fix it, suggests you have the right attitude
    Did you pay a premium for his services? Master kudos to him if you did. Infect companies with your product and hold the secret key.

  4. #14

    My post count is Majestic

    NickFitz's Avatar
    Join Date
    Jun 2007
    Location
    Your local branch
    Posts
    44,649

    Default

    Quote Originally Posted by TheGreenBastard View Post
    Did you pay a premium for his services? Master kudos to him if you did. Infect companies with your product and hold the secret key.
    Nah, as mentioned upthread I was contracting at Yahoo! at the time and they'd given him a job, just like they had with Rasmus Lerdorf. Their business management was generally terrible, but they had the right idea of hiring the people who'd made the stuff they used

  5. #15

    My post count is Majestic

    NickFitz's Avatar
    Join Date
    Jun 2007
    Location
    Your local branch
    Posts
    44,649

    Default

    Quote Originally Posted by NickFitz View Post
    Even if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.
    [citation needed] - in Symfony\Component\Form\NativeRequestHandler you'll find the code that grabs the request data from $_POST or $_GET and stuffs it into the Symfony form object: symfony/NativeRequestHandler.php at master . symfony/symfony . GitHub

  6. #16

    More time posting than coding


    Join Date
    Jun 2015
    Posts
    250

    Default

    Quote Originally Posted by NickFitz View Post
    Even if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.
    Admitiedly it's been 4 years since I've did any PHP coding, but I did believe there were other ways to handle input data, but I believe depends on how you run the app such as mod_php vs FPM.

    Still, either way, you are just getting unvalidated data into your app, the point of using a framework, is to make sure you pass through the input and output validation layers, and then you could use SAST to help confirm this in PRs and such. Basic Globals are bad m'kay advice.

    Still, it does sound like the OP has made an attempt to validate, so hopefully he's okay.

    Quote Originally Posted by NickFitz View Post
    Anyway, to get back to the matter at hand: as you say, if you're just grabbing stuff from $_POST and sending it along to WorldPay via CURL, it should be all right as they'll have their own checks and balances. You might want to do a bit of sanity checking on it before passing it through just to avoid annoying them, but it'll probably be OK
    The warning isn't that'd he'd hack worldpay, it's that his own server / php stack could be owned before the POST. If he's doing a redirect, then the actual payment data probably isn't included in his app, which mitigates the issue.

    I haven't seen the actual code he's written though, so who knows, it's possible he's fine.
    Last edited by fool; 9th April 2019 at 09:30.

  7. #17

    Default

    Eh! All a bit over me 'ead. Only had 2 hacks in many years, one was an iframe in the HTML, think due to using an insecure version of Filezilla. Once bit of fiddling with database due to security errors, fixed that.

  8. #18

    Double Godlike!

    xoggoth's Avatar
    Join Date
    Jul 2005
    Location
    xoggoth towers
    Posts
    12,983

    Default

    Darn it, forgot to log Albert out.
    bloggoth

    If everything isn't black and white, I say, 'Why the hell not?'
    John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •