• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Odd CURL problem

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    #11
    Cheers all. All the input has length limits and and strip_tags when taken by self post and the inputs are all hidden in the redirection page anyway. Think has all the security I can be bothered with.

    I am never keen on using third party libraries/packages, great until something goes wrong, then you have to grapple with masses of unfamiliar and mostly irrelevant code. Prefer to stick to my simple stuff. Database is regularly backed up, downloaded to Excel at 2 locations and orders are also in emails/paper invoices.
    bloggoth

    If everything isn't black and white, I say, 'Why the hell not?'
    John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

    Comment


      #12
      Originally posted by xoggoth View Post
      I am never keen on using third party libraries/packages, great until something goes wrong, then you have to grapple with masses of unfamiliar and mostly irrelevant code.
      The fact that after six months working with Symfony, in a department filled with extremely smart people who'd been working with it for a year or more who tried to help, I still had to get the bloke who'd invented it to come and fix it, suggests you have the right attitude

      Comment


        #13
        Originally posted by NickFitz View Post
        The fact that after six months working with Symfony, in a department filled with extremely smart people who'd been working with it for a year or more who tried to help, I still had to get the bloke who'd invented it to come and fix it, suggests you have the right attitude
        Did you pay a premium for his services? Master kudos to him if you did. Infect companies with your product and hold the secret key.

        Comment


          #14
          Originally posted by TheGreenBastard View Post
          Did you pay a premium for his services? Master kudos to him if you did. Infect companies with your product and hold the secret key.
          Nah, as mentioned upthread I was contracting at Yahoo! at the time and they'd given him a job, just like they had with Rasmus Lerdorf. Their business management was generally terrible, but they had the right idea of hiring the people who'd made the stuff they used

          Comment


            #15
            Originally posted by NickFitz View Post
            Even if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.
            [citation needed] - in Symfony\Component\Form\NativeRequestHandler you'll find the code that grabs the request data from $_POST or $_GET and stuffs it into the Symfony form object: symfony/NativeRequestHandler.php at master . symfony/symfony . GitHub

            Comment


              #16
              Originally posted by NickFitz View Post
              Even if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.
              Admitiedly it's been 4 years since I've did any PHP coding, but I did believe there were other ways to handle input data, but I believe depends on how you run the app such as mod_php vs FPM.

              Still, either way, you are just getting unvalidated data into your app, the point of using a framework, is to make sure you pass through the input and output validation layers, and then you could use SAST to help confirm this in PRs and such. Basic Globals are bad m'kay advice.

              Still, it does sound like the OP has made an attempt to validate, so hopefully he's okay.

              Originally posted by NickFitz View Post
              Anyway, to get back to the matter at hand: as you say, if you're just grabbing stuff from $_POST and sending it along to WorldPay via CURL, it should be all right as they'll have their own checks and balances. You might want to do a bit of sanity checking on it before passing it through just to avoid annoying them, but it'll probably be OK
              The warning isn't that'd he'd hack worldpay, it's that his own server / php stack could be owned before the POST. If he's doing a redirect, then the actual payment data probably isn't included in his app, which mitigates the issue.

              I haven't seen the actual code he's written though, so who knows, it's possible he's fine.
              Last edited by fool; 9 April 2019, 09:30.

              Comment


                #17
                Eh! All a bit over me 'ead. Only had 2 hacks in many years, one was an iframe in the HTML, think due to using an insecure version of Filezilla. Once bit of fiddling with database due to security errors, fixed that.

                Comment


                  #18
                  Darn it, forgot to log Albert out.
                  bloggoth

                  If everything isn't black and white, I say, 'Why the hell not?'
                  John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

                  Comment

                  Working...
                  X