I am trying to use an if statement to check if the user has been directed to this page with from the correct location with correct data.
in php we would use
if ($_REQUEST)
{
......
}
but how can I do it in coldfusion?
According to this, $_REQUEST is:
An associative array that by default contains the contents of $_GET,
$_POST and $_COOKIE.
In which case, there is not an equivalent in Coldfusion. The $_GET would be equivalent to CF's URL scope. The $_POST would be equivalent to CF's FORM scope. The $_COOKIE would be equivalent with CF's COOKIE scope. You would need to check the appropriate scope depending on what you are looking for.
There are, however, frameworks for Coldfusion, such as Coldbox, that manage a "Request Collection" for you.
With more information this answer could be more complete.
You can check where the user came from using CGI.HTTP_REFERER. Example:
if (CGI.http_referer contains 'www.good-domain.com') { ... do something here ... }
You'll need to check the URL or FORM scopes to inspect the data to see if it is the "right data". You can inspect these values with something simple like this (which checks the form scope--used when data is posted in the body of a request):
requestIsGood = true;
requiredKeys = ['keyA','keyB','keyC'];
for (key in requiredKeys) {
if (!structKeyExists(FORM,key) {
requestIsGood = false;
break;
}
}
if (requestIsGood) { ... do something here ...}
Lastly, the difference between the URL and FORM scope in ColdFusion (CFML) is that values in the url's querystring will be populated to the URL scope. Values posted by the form will exist in the FORM scope.
The code examples should be accurate for Adobe ColdFusion 9+ http://adobe.com/go/coldfusion and the open source CFML engine Railo http://getrailo.org. It may work on another open source CFML engine OpenBD http://www.openbluedragon.org/ but I am not sure.
Hope this information helps you.
Related
I'm reading a book on php security, and on input validation chapter there's a small section that talks about only allowing expected input.
This is the code that they show:
<?php
$expected = array( 'carModel', 'year', 'bodyStyle' );
foreach( $expected AS $key ) {
if ( !empty( $_POST[ $key ] ) ) {
${$key} = $_POST[ $key ];
}
else {
${$key} = NULL;
}
}
?>
I'm kind of confused, there's a small paragraph that explains what the code does. For what I get it assigns a value from the array as a key to $_POST. It also says that the array should be done programatically copied out of the GPC array.
What I don't understand is in what cases should I use this? And what is the GPC array?
GPC = Get Post Cookie, it's referring to variables coming from the user/browser. So instead of using $_GET, $_POST, $_COOKIE you should be cleaning and validating that data into a variable(s) that you can trust and know is clean.
As for the suggestion, what they are doing is limiting what your code has access to. In the above code example, you would probably have a form on the page with elements named carMOdel, year, and bodyStyle. What the code here is doing is restricting your code to ONLY interact with those 3 elements.
This prevents someone from passing extra parameters to your page in an attempt to inject code or some sort of SQL injection attack or any other number of things. In a simple example like this it might not make sense. But there are cases where people are taking form/api requests and running loops over everything in one of GPC arrays and doing stuff with anything in there. I would suggest not doing that to begin with.
This is just 1 of MANY things to protect your server/database. When developing webapps you should take the stance of trusting NOTHING that comes from the user side.
As far as security goes, OWASP is a great source for learning. here is a little cheat sheet that is in the works for php.
The code creates variables from data in the $_POST array. The names of the variables are taken from the keys of the $_POST array. PHP calls this (i.e. naming variables dynamically) variable variables.
This is usually a bad idea, because you do not control, which keys are present in the $_POST array, and thus, which variables are created. The user of your website controls this. A malicious user might name the POST variables in such a way that they overwrite variables that you intended for different purposes.
The book suggests to allow keys in the $_POST array to overwrite variables in a controlled manner. That's what $expected = array('carModel', 'year', 'bodyStyle') is for. This and the following code only creates the variables $carModel, $year and $bodyStyle. If, for example, a user posts current_user_has_admin_rights=1 to you application, a variable $current_user_has_admin_rights with a value of 1 will not be created.
My suggestion is to to stay away from variable variables alltogether and instead access the POST values through the $_POST array only. This makes it clear where the value comes from, an thus makes it easier to spot if such a value is handled in an unsecure manner.
It also says that the array should be done programatically copied out of the GPC array.
This could mean that you shouldn't necessarily write:
$expected = array('carModel', 'year', 'bodyStyle');
Rather write something like:
$expected = getExpectedInput('carForm');
Where the function getExpectInput would query the database for the input that should be in the form 'carForm'. Or perhaps it could be in a file and this function would fetch that content. They basically mean, it's not a good idea to hard-code the variables in the form. Rather write them somewhere so they are easy to change. If you ever made changes to the form and added a variable or changed a variable name, you don't have to change this particular code. This means that this function is usable on different forms. The idea is to write function that that can be re-used. Not those that are dedicated to one thing. OOP.
The getExpectedInput function would probably return an array. You can name this whatever you like or use any method.
I am thinking of making a loop to gather all my $_POST variables and assign them to dynamically named variables.Something like this (not tested)
for($i; $i <= $_POST[].length; $i++){
${$_POST[i]} = $_POST[i]
}
But I am wondering about the security of something like this. This would then create a variable in the system for every bit of post data sent to the page. Can that variable be damaging even if the script I write doesn't reference it? Is this the type of thing I should avoid entirely? I have some pages that send quite a few variables and a script like this would prevent a whole lot of writing, but is it safe enough?
Yes there are possible security risks.
Say you have a variable $is_admin defined earlier in the code that gives someone admin abilities. If someone POSTS to that page with
$_POST['is_admin'] = true;
Then $is_admin is now true. Not good.
What's wrong with using $_POST?
Yes there can be security concerns/problems, for example one could overwrite any local variables which are already set, like database, config values ect.
So something like this should be avoided:
$yourImportantVar = 'Something relies on this';
//User POSTS yourImportantVar=overwritten
foreach ($_POST as $key => $value) {
$$key = $value;
}
echo $yourImportantVar; //overwritten
But if you want to implement a loop to save a chunk of code, you could create an allowed array which you loop over and extract out the value from the $_POST.
foreach (array(
'name',
'address',
'somethingelse',
'ect'
) as $key) {
$$key = isset($_POST[$key]) ? $_POST[$key] : null;
}
This is a very bad idea for security and maintainability. Simplified example why...
<?php
if (someRandomSessionCheck()) {
$isAdminUser = true;
}
if ($isAdminUser) {
// give access to everything
}
?>
Someone could post to the page with a variable "isAdminUser=1" and would have access to everything.
Another reason it is a bad idea is you can't clearly see from the script where your variables are created. This reduces maintainability of the script. What if you now want to run the script but instead need to get the data from somewhere else and not a POST?
Only issue I can think of at the moment is when that overwrites the existing variable in the scope. This can be very unsafe depending on what you do with it. Think about the variable being the URL you are doing a HTTP request to. Or worse, some flag variable which accesses some critical part of your code.
I will post an example that speaks about HTTP request:
<?php
$url = "http://safe/url/to/POSTto";
$var = array("url" => "http://www.mysite.com/url"); //assume this is $_POST
foreach($var as $key => $value){
${$key} = $value;
}
//now upon the HttpRequest, your site can receive the (critical) data which was actually meant for the safe site.
?>
EDIT: #Galen has posted about the flag variable I was talking about, so may be I need not post any example to highlight the problem.
PHP had a feature (using the term loosely) called register_globals. It has since been deprecated (PHP 5.3) and removed (PHP 5.4), but it mirrored the functionality for which you are looking. It performed the same thing as the PHP function extract() does, which sets variables in the current scope with names of the keys and values of the matching array values.
This is most definitely a security risk. Consider the example of a poor check for authentication:
if($is_logged_in) {
// Allow execution of destructive actions
}
If this feature was enabled (or you mimicked it), a malicious user would be able to set the variable $is_logged_in and bypass the login screen. Don't worry about saving typing. If you need to copy and paste a code block like this at the beginning of your files:
$something = $_POST['something'];
$another = $_POST['another'];
$stuff = $_POST['stuff'];
//etc.
Not only is it much more secure, but it doesn't leave developers (who aren't expecting register_globals) puzzled when undeclared variables start being used. Also, the fact that PHP has removed it and there are plenty of arguments against its use should be evidence enough.
<?php
/* Suppose that $var_array is an array returned from
wddx_deserialize */
$size = "large";
$var_array = array("color" => "blue",
"size" => "medium",
"shape" => "sphere");
extract($var_array, EXTR_PREFIX_SAME, "wddx");
echo "$color, $size, $shape, $wddx_size\n";
?>
Please check this. Same thing what you are going do by using loop. may help you
You are basically implementing extract($_POST, EXTR_OVERWRITE) which will overwrite any already existing variables. The manual already warns to use extract in a way you do:
Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.). If you do, for example if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.
This can result in overwriting essential and sensitive variables, including those that cannot really be modified directly like $_SESSION, $_SERVER, and $GLOBALS:
POST /foo.php HTTP/1.1
Content-Type: application/x-www-urlencoded
_SESSION[user]=admin
This would have the same effect as $_SESSION = array('user'=>'admin').
For example, I am using a $_POST variable to insert data into a DB. Just before this query I have a few tests and if they are true I want to adjust that (hidden) $_POST value.
Ex.
if($baby_dragon_eats_children){
$_POST['hidden_value'] = "grapes";
}
Can $_POST['hidden_value'] be assigned a new value and then be passed to another function as $_POST and be able to access the new $_POST['hidden_value']?
Thanks
$_POST['consolidate_answers']
IF you assign a value to $_POST you should document is very clearly as it is not common nor considered "best" practice.
IF you have any extensions of PHP such as Suhosin Patch... it may block such actions..
Handle your own arrays, don't depend on $_POST!
IF need be, make a copy of $_POST and work with that.
You can assign values to $_POST, but if you do so you should document it very clearly with comments both at the point of assignment and the later point of access. Manually manipulating $_POST can break future programmers' (including your own) expectations of what is in the superglobal and where it came from.
There may be other alternatives, like:
$my_post = $_POST;
$my_post['hidden_value'] = 12345;
// In a function:
function func() {
// Emulate a superglobal
echo $GLOBALS['mypost']['hidden_value'];
}
Can $_POST['hidden_value'] be assigned a new value and then be passed to another function as $_POST and be able to access the new $_POST['hidden_value']?
It can in normal PHP.
However, extensions like the Suhosin Patch may block this.
Also, it feels wrong in general. $_POST is intended to contain the raw, incoming POST data - nothing else. It should not be modified IMO.
A better way to go would be to fetch all the data you plan to insert into the database into an array, and do the manipulations in that array instead.
You can, it will work, but don't.
Create a copy of $_POST, perform your tests on that and modify that instead. For example.
$postdata = $_POST;
if ($postdata['somevalue'] != 'someothervalue') $postdata['newvalue'] = 'anothervalue';
// ...
If you manipulate variables auto-created by PHP, it will probably come back to haunt you later on when the variable doesn't hold the data you expect it to.
Find an alternative!
The $_POST variable has a distinct responsibility. Do not abuse its globalism.
I'd say don't abuse globalism either way, even if it means changing the design you have (or have in mind).
But if you choose not to, then consider creating a dedicated global registry just for your needs.
Don't manipulate language built-ins.
After reading:
When do you use POST and when do you use GET?
Mixing GET with POST - is it a bad practice?
I understand, that GET is used to retrieve a page without changing the server and POST is used for things (insert, update, delete), that change the server.
Now I have written a page which is called with a GET request with parameter StationNr set. The user can fill a form and makes a POST request to the same page with parameter Filter set. But I don't want to miss the parameter StationNr thus I thought I give it into a hidden input field. But then the parameter StationNr is either in the $_GET variable (first call) or in the $_POST variable (second call). I can do something like:
if (isset($_GET['StationNr']))
$snr = $_GET['StationNr'];
else if (isset($_POST['StationNr']))
$nr = $_POST['StationNr'];
But I don't like this. Also I don't want to use $_REQUEST['StationNr'] because of: When and why should $_REQUEST be used instead of $_GET / $_POST / $_COOKIE?
I think this is a common issue but I haven't faced it yet because I'm a beginner in writing php pages. How did you solve this problem?
Thanks!
Although you can use ?foo=bar to push GET values in a POST request, I'd suggest checking the request method instead:
if($_SERVER['REQUEST_METHOD'] == 'POST') { ... }
just use
<form method="post" action="script.php?get=variables">
<input name="your_inputs" />
</form>
Correct Syntax Would Be:
if (isset($_GET['StationNr'])) {
$snr = $_GET['StationNr'];
}else if (isset($_POST['StationNr']))
$nr = $_POST['StationNr'];
}
I need to get the hash # value from the current window url with javascript (can't get it with PHP), and then use that to set the value attibute of a form input with CI's set_value() function.
Any ideas how I can grab the value in javascript then put it into the PHP function? :-S
Thanks in advance!
I can't quite tell if you fully understand the relationship between Javascript and PHP, so I'm going to assume that you don't. PHP runs on the server and outputs HTML to the browser (along with some headers and other stuff). Once the HTML is sent to the browser, what the user does with your site is out of your control until his browser performs another GET or POST request (or opens a persistent web socket connection). As you mentioned, it's impossible for PHP to outright read the value of the hash, as it's meant to be confined to the browser, accessible only via Javascript. Since your PHP script for that particular request has stopped running and the page data has already been output to the browser, what sense does it make to grab the value using Javascript, send it back to PHP with another http request, use the set_value() function, and then what?
If you use window.location.hash and set the value of your input box equal to it, you will be able to use set_value() when the user submits the form. Take a look at CI's set_value() helper function:
function set_value($field = '', $default = '')
{
if (FALSE === ($OBJ =& _get_validation_object()))
{
if ( ! isset($_POST[$field]))
{
return $default;
}
return form_prep($_POST[$field], $field);
}
return form_prep($OBJ->set_value($field, $default), $field);
}
It first checks to see if you've set up form validation object. If you have, it runs the form_prep() function using that object's set_value (presumably to manage any rules you've set up in your form validation. If you haven't, it sees if that field exists in the $_POST array. If it doesn't, it returns the default value. If it does, it returns the value from the $_POST array. So if you a) set up a form validation rule for it and b) give that input box the name you want to use in your set_value() function, you will be able to retrieve the value of the hash in PHP which you have entered into that input box using Javascript.
In Javascript you can achieve this vis
hash = window.location.hash;
In PHP you can access it using parse_url()
parse_url() : Return Values
On seriously malformed URLs, parse_url() may return FALSE. Otherwise an associative array is returned, whose components may be (at least one):
* scheme - e.g. http
* host
* port
* user
* pass
* path
* query - after the question mark ?
* fragment - after the hashmark #