Zend Video Tips: Get and Post Array

Thursday, November 23. 2006

A link to a quite amusing (?) video was posted on IRC today that is one of Zend's german PHP teaching videos. You can find it here. It is supposed to teach PHP developers the usage of $_GET and $_POST.

Aside from wrong information like the statement that POST data is sent within an HTTP header, all their examples print the content of $_GET and $_POST directly to the output, producing nice little XSS vulnerabilities.

Quite amusing seeing these kinds of tips from a company offering PHP training and certification. Maybe the teaching material should cover the usage of htmlentities() or htmlspecialchars() in the future.

Posted by Stefan Esser in Security, PHP at 18:37

Comments (4)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Gaylord Aulke wrote (Link) ()

...and we thought if it is in german, nobody would notice...

Just kidding. The statement that POST data are sent in the http header is of course wrong. Zend will correct that one ASAP.
We will also add a security advice emphasizing the importance of input checking and filtering. Thanks for pointing us on this.

Gaylord

posted on Thursday, November 23. 2006

#2 Jan Schneider wrote (Link) ()

But the "Live HTTP headers" extension displayed the parameters, so they have to be sent in the headers. Otherwise they would call it "Live HTTP body".

posted on Thursday, November 23. 2006

#3 Paulie ()

Despite the lack of checking $_POST and $_GET for suspicious content, I find the whole video rather poor. I wonder who the narrator was and what kind of experience this guy has. Not to mention that even a novice should be able to grasp array handling from a few sentences and examples. Maybe Zend should take a look at the docu videos for CodeIgniter.

posted on Thursday, November 30. 2006

#4 Jason Frisvold wrote (Link) ()

Stefan,

I'm curious. What you've posted on your blog makes a lot of sense to me. Many think your manner is a tad abrasive, but having dealt with security professionals in the past, I can understand the brashness.

I don't consider myself a security professional, but when I write code in any language, I try to make sure that it is as secure as I can make it. However, if I were to teach someone how to use a particular feature of a language, I would probably dumb it down slightly. I would also be sure to mention something about how using it in that manner is insecure. I think in a teaching environment, at least to get the basics down, it's better to dumb it down to the core requirements and then build on that. Of course, you have to follow through with building on the foundation..

posted on Wednesday, December 20. 2006

Add Comment

Name:

Email:

Homepage:

In reply to:

Comment:
Standard emoticons like :-) and ;-) are converted to images.

Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.

Calendar