#1
  1. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,031
    Rep Power
    535

    Concerns over using user provided data in arrays?


    I have a script which allows the user to upload a document. At first, I don't want to store the document in a database or store the document in a permanent location until the user performs a given action. However, until permanently saving, I wish to allow the user to view (i.e. download) the document prior to when they decide to permanently store the document, and of course preserve the data should it eventually be saved. Below is my plan. Please comment if you think it is not secure.
    1. Upload the document. Store it with a random filename in a tmp directory. Store the actual filename in a session with a key as the filename.
    2. Create a link which contains the (random) filename so that the user could view it. When initiated, I will retrieve the real filename by directly inserting the user provided key in the session (i.e. $filename=$_SESSION['whatevere'][$GET[‘user_provided_document’]).
    3. When eventually saved, again directly use the user provided key in the session to get the filename.


    Any concerns?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    what's the point of the URL parameter, anyway? The file data is already associated with the user through the session or the database entry. The only reason for making a URL would be to either allow anonymous uploads or select a single file from multiple temporary uploads.

    In general, letting the user specify the session key is always risky. As long as you limit the input to a subarray (like in your case), it's OK. But imagine something like

    PHP Code:
    $_SESSION[$_GET['key']] = $_GET['value']; 
    The first thing an attack would do is change the user ID to that of the admin.

    So handle this with care.

    You also need a way to clean up abandoned files after a while.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,031
    Rep Power
    535
    Originally Posted by Jacques1
    what's the point of the URL parameter, anyway? The file data is already associated with the user through the session or the database entry. The only reason for making a URL would be to either allow anonymous uploads or select a single file from multiple temporary uploads.
    It is kind of like an email application. User creates a message, and can upload zero or more documents. If they cancel the message before sending it, I will discard the document, but if they send the message, I will permanently save the document. The URL is to allow them to download the document before the message is sent.

    Originally Posted by Jacques1
    In general, letting the user specify the session key is always risky. As long as you limit the input to a subarray (like in your case), it's OK.
    So there is nothing that can be used as the key that would allow data higher in the array to be viewed or manipulated? Analogous to using `../` with files?
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by NotionCommotion
    So there is nothing that can be used as the key that would allow data higher in the array to be viewed or manipulated? Analogous to using `../` with files?
    No.

    But you should check the key with isset() to prevent the user from (accidentally) flooding your error log with warnings.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo