> Your first code block:
> 1. Request Variables, containing variables will be evaluated. (e.g.
> $config[mysql_pass]
OK, so we should to escape or drop $,,,[,],etc...
> 2. The keys will not be escaped

> (file.php?a%3D1%3B+print+file_get_contents%28%22%2Fetc%2Fshadow%22
> %29%3B+%2F
> %2F=hacked)
Hmm,

> 3. Your setting globals, easy to overwrite things
> (file.php?_SERVER[REMOTE_ADDR]=127.0.0.1)

I tried that -this is not vunlereable ...

>
> Your second code block:
> 1. file.php?FUNCTION_INIT=file_get_contentsl&ARG1=/etc/shadow&ARG1_VAL=0
>

Yea, thanks, i forgot about php specific functions that can be
NITIATED... - must validiate that step.
that's really big BUG...

> A few things.
> 1. ; is not used in mysql_query
> 2. eval is slow
how then you evaluate your result in case when you need to use fragment of
other variable as your variable ?
> 3. Globals are bad
what you use instead ??? cookies ?
i put in globals after every login the user preferences , not to check it
every time he goes on site,,, and ofcourse the cookie size is too big.
in global array i have specific columns permition of R/W/X, related on every
type of menu function in R/W/X too, and / or his web page preferences (which
column to hide, which to show)
how other way to do that ? i think that globals are fast, and faster than
SQL...
? so do you prefer to what? creating dynamic of splitted temporary files for
every logon with needed and authirized variables , with correct ammount for
every type of needed request in them?

A.Binder

[ reply ]