NYCPHP Meetup

[Jonathan]

Billy Reisinger wrote:

>On Sep 1, 2005, at 6:37 PM, Chris Shiflett wrote:
>
>  
>
>>Cliff Hirsch wrote:
>>
>>    
>>
>>>See: http://www.phpbuilder.com/columns/weiner20050831.php3
>>>
>>>Beside the primary validation content, the article uses the
>>>following example, which I often see:
>>><input type="text" name="email" value="<?=$_POST['email']?>" />
>>>
>>>      
>>>
>>This is really a big problem within our community. I can't think of a
>>more obvious XSS vulnerability, but here it is in an article that
>>numerous developers will read and apply to their own development.
>>
>>    
>>
>
>Correct me if I'm wrong here, folks, but using a $_POST['variable']  
>directly in a form is no more or less vulnerable to attack than using  
>a different variable that is a reference to a $_POST variable.  If  
>you want to carry over form values after errors or across multiple  
>form pages (i.e. preserve state), you have to reference these $_POST  
>variables eventually, in some form or fashion.  In this sense, ALL  
>forms are vulnerable to hacks.   It should be a necessary step for  
>you to validate and protect yourself against any variable that your  
>users can change.
>\
>  
>
Using $_POST is using a global variable - which if validated and 
transformed is an abuse of what $_POST is meant to represent. By moving 
variables out of global to preserve state you gain control of the 
variable ever changing again.
And the problem is deeper than about vulnerability to "attack" - its 
also about making reusable and clean architectures. So I see how you 
might say $_POST is like any other user altered variable - but the 
article being criticized is still promoting bad practice and, I guess 
from what is being said, makes no attempt to point out the obvious 
problems with embedding these tags in a form.