Working CCK Form security: tokens but also white listing POST variables, MIA for CMS's and impossible to implement in Drupal & WP etc. Sanitation and validation of user input yes. But nothing against Injection of POST fields into the request Since CCK ( cck.fhqk.com ) is API-centric it is critical to secure the requests from client forms and all verb requests via cURL, php://input etc..
Strange that this was a very common task back in the days of Classic ASP. But somewhere in the gain in popularity of PHP it got lost.
Strange that this was a very common task back in the days of Classic ASP. But somewhere in the gain in popularity of PHP it got lost.
from POST Request;
Array
(
[ccid] => ccid-54eb4dcabcdc97.58677578
[title] =>
[author_id] =>
[date_created] =>
[send] => send
[security] => 8e474da78d349ee503b65357f611bb69
[form] => content_type_add
)
Checklist from Session:
Array
(
[token] => 8e474da78d349ee503b65357f611bb69
[whitelist] => Array
(
[0] => ccid
[1] => title
[2] => type
[3] => author_id
[4] => date_created
[5] => send
[6] => security
[7] => form
)
)
Kill unwanted request verbs:
$method = $_SERVER['REQUEST_METHOD'];
switch ($method) {
case 'PUT':
exit($method . ' not allowed');
break;
case 'GET':
exit($method . ' not allowed');
break;
case 'HEAD':
exit($method . ' not allowed');
break;
case 'DELETE':
exit($method . ' not allowed');
break;
case 'OPTIONS':
exit($method . ' not allowed');
break;
}
Comments
Post a Comment