Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

is this if secure?

13 views
Skip to first unread message

Netman

unread,
May 28, 2014, 2:15:41 PM5/28/14
to
Hello again!

is this code secure?

if ($_GET["action"]=="test" || $_GET["action"]=="test2")
{
include($_GET["action"].".php");
}


Is it secure in your opinion?

Regards
K.

Jerry Stuckle

unread,
May 28, 2014, 2:23:07 PM5/28/14
to
Yes, this code is secure (I don't know about anything else you might be
doing).

But unless you're writing a CMS, why not just allow direct access to the
pages?

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstu...@attglobal.net
==================

Netman

unread,
May 28, 2014, 2:25:50 PM5/28/14
to


U�ytkownik "Jerry Stuckle" napisa� w wiadomo�ci grup
dyskusyjnych:lm59i7$kg0$1...@dont-email.me...
Ok thank you.

My answer to your question: because it takes a longer code :)

Jerry Stuckle

unread,
May 28, 2014, 2:31:15 PM5/28/14
to
On 5/28/2014 2:25 PM, Netman wrote:
>
>
> U�ytkownik "Jerry Stuckle" napisa� w wiadomo�ci grup
> dyskusyjnych:lm59i7$kg0$1...@dont-email.me...
>
> On 5/28/2014 2:15 PM, Netman wrote:
>> Hello again!
>>
>> is this code secure?
>>
>> if ($_GET["action"]=="test" || $_GET["action"]=="test2")
>> {
>> include($_GET["action"].".php");
>> }
>>
>>
>> Is it secure in your opinion?
>>
>> Regards
>> K.
>
> Yes, this code is secure (I don't know about anything else you might be
> doing).
>
> But unless you're writing a CMS, why not just allow direct access to the
> pages?
>

That could be - but it won't stop someone from trying to load
www.example.com/test.php on their own.

THAT could be an exposure.

Gordon Freeman

unread,
May 29, 2014, 7:26:36 PM5/29/14
to
Jerry Stuckle <jstu...@attglobal.net> wrote:

> On 5/28/2014 2:15 PM, Netman wrote:
>> Hello again!
>>
>> is this code secure?
>>
>> if ($_GET["action"]=="test" || $_GET["action"]=="test2")
>> {
>> include($_GET["action"].".php"); }
>>
>>
>> Is it secure in your opinion?
>>
>> Regards
>> K.
>
> Yes, this code is secure (I don't know about anything else you might be
> doing).

One thing I am never sure about is when such an expression would be
susceptible to the bug whereby the arguments are coerced to integers, ie.
suppose someone submits "action" set to 0, then we would be evaluating

0 == "test"

doesn't this then cause php to evaluate "test" as an integer too, with
value 0, so the test suceeds with 0 == 0? If that happened then we would
surely end up with a statement include("0.php")


--
_______________________________________________________

Facts are stubborn, but statistics are more pliable.
_______________________________________________________

Jerry Stuckle

unread,
May 29, 2014, 8:27:39 PM5/29/14
to
On 5/29/2014 7:26 PM, Gordon Freeman wrote:
> Jerry Stuckle <jstu...@attglobal.net> wrote:
>
>> On 5/28/2014 2:15 PM, Netman wrote:
>>> Hello again!
>>>
>>> is this code secure?
>>>
>>> if ($_GET["action"]=="test" || $_GET["action"]=="test2")
>>> {
>>> include($_GET["action"].".php"); }
>>>
>>>
>>> Is it secure in your opinion?
>>>
>>> Regards
>>> K.
>>
>> Yes, this code is secure (I don't know about anything else you might be
>> doing).
>
> One thing I am never sure about is when such an expression would be
> susceptible to the bug whereby the arguments are coerced to integers, ie.
> suppose someone submits "action" set to 0, then we would be evaluating
>
> 0 == "test"
>
> doesn't this then cause php to evaluate "test" as an integer too, with
> value 0, so the test suceeds with 0 == 0? If that happened then we would
> surely end up with a statement include("0.php")
>
>

Hi, Gordon,

In some cases that would be a realistic concern. However, since all
$_GET, $_POST, etc. variables are returned as strings (even if the
contents were "0", it's not much of a worry here.

robamm...@hotmail.com

unread,
Mar 16, 2020, 7:32:27 AM3/16/20
to
Everything depends...But I guess it's right, when you have everything set up correctly.


Kristjan Robam

J.O. Aho

unread,
Mar 16, 2020, 3:46:53 PM3/16/20
to
On 16/03/2020 12.32, robamm...@hotmail.com wrote:
> kolmapäev, 28. mai 2014 21:15.41 UTC+3 kirjutas Netman:
>> Hello again!
>>
>> is this code secure?
>>
>> if ($_GET["action"]=="test" || $_GET["action"]=="test2")
>> {
>> include($_GET["action"].".php");
>> }
>>
>>
>> Is it secure in your opinion?
>
> Everything depends...But I guess it's right, when you have everything set up correctly.

The code is insecure already back in 2014. Even if you feel bored in the
closed down Estonia due of the sars-cov-2 virus, you don't have to
replay all old posts you find with help of google groups.

--

//Aho

😉 Good Guy 😉

unread,
Mar 16, 2020, 4:03:02 PM3/16/20
to
Send him an email to notify him that he is responding to old posts where the original posters might have died and not able to read any of them.   There is newsgroup after death!!!



--
With over 1.2 billion devices now running Windows 10, customer satisfaction is higher than any previous version of windows.

Kristjan Robam

unread,
Mar 19, 2020, 1:11:16 PM3/19/20
to
Hi Aho....
I am only using google groups. I don't use other programs. This solutions seems to be the best in my opinion so far.


Kristjan Robam

Kristjan Robam

unread,
Mar 19, 2020, 1:12:27 PM3/19/20
to
esmaspäev, 16. märts 2020 22:03.02 UTC+2 kirjutas 😉 Good Guy 😉:
> On 16/03/2020 19:46, J.O. Aho wrote:
>
>
> On
> 16/03/2020 12.32, robamm...@hotmail.com wrote:
>
>
> kolmapäev, 28. mai 2014 21:15.41 UTC+3
> kirjutas Netman:
>
>
> Hello again!
>
>
>
>
> is this code secure?
>
>
>
>
> if ($_GET["action"]=="test" || $_GET["action"]=="test2")
>
>
> {
>
>
>      include($_GET["action"].".php");
>
>
> }
>
>
>
>
>
>
> Is it secure in your opinion?
>
>
>
>
>
> Everything depends...But I guess it's right, when you have
> everything set up correctly.
>
>
>
>
>
> The code is insecure already back in 2014. Even if you feel bored
> in the closed down Estonia due of the sars-cov-2 virus, you don't
> have to replay all old posts you find with help of google groups.
>
>
>
>
>
>
>
>
>
> Send him an email to notify him that he is responding to old posts
> where the original posters might have died and not able to read any
> of them.   There is newsgroup after death!!!
>
>
I have already died, I'm on the second life....



Kristjan Robam

J.O. Aho

unread,
Mar 19, 2020, 1:46:10 PM3/19/20
to
On 19/03/2020 18.11, Kristjan Robam wrote:

> I am only using google groups.
> I don't use other programs. This solutions seems to be the best in my opinion so far.


Yes, we have noticed, you ain't the only one who uses google groups and
treat the user groups as it was some kind of web based forum.

Please avoid replying on threads that are years old, even if you think
the information there is useful for you, if you want to know something
more, then start a new thread and ask the questions you have.

Treat threads as a bit slower way of instant messaging and all the user
group users who don't use google groups would be a lot happier too.

--

//Aho

Kristjan Robam

unread,
Mar 19, 2020, 2:18:09 PM3/19/20
to
Ok Mr or Mrs Aho.


Kristjan Robam
0 new messages