Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Small website, non-technical users: Joomla, Drupal, or WordPress? (Solved)

On 01/08/2014 12:35 AM, Eric Chadbourne wrote:
> What do you mean by variables being public to the internet?  Nobody
> can directly access them from what I understand.  Sanitize in and out
> you should be fine no?

I don't remember the details, and I only just glanced at php, a long 
time ago.

Googling about a bit I think it might have been something like the 
problem described here
>       Securing your variables
> In most versions of PHP, you can access the value of a variable before 
> it is initialized. Consider this simple example:
> if ($password == $the_password) {
>      $logged_in = 1;
> }
> if ($logged_in == 1) {
>      // secure stuff
> }
> All a visitor has to do is add *?logged_in=1* to the end of the URL 
> and they will have access. While this may seem obvious, it is an 
> extremely common problem with PHP scripts.
> The best way to prevent this is to always make sure variables are 
> declared before they are used. For this example, you can just add the 
> following line at the top of the file:
> $logged_in = 0;
> Now the variable cannot be reset by a user since it is being declared 
> before use.

In other words, the easiest way to use a variable in php is to just 
start using it, no declaration required, and as far as php is concerned, 
whether you initialize it is up to you.  But from a security perspective 
the two cases are very different.

This might have changed since then, too.

I might have had other gripes, but it is possible I saw this and said: 
what a dangerous language and moved on.


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /