I have been trying to create a little script that dies when it detects base64 encoded information being posted to our server.
For some reason it is not entering the loop ...
if (in_array('base64_decode', $_POST, true)) { ... }
When I test it. What am I missing?
Edit: Sorry for this misunderstanding I wasn't clear enough. I am having things like ...
[gkwdwjfvzjpj] => eval(base64_decode($_POST....
Posted to the server and I want to know how can I just detect this string.
分享 What your code searches for is whether or not the string "base64_encode" is one of the POSTed values.
If you want to check if base64_decode is in a substring of the POSTed data:
function spam_in_post_values () {
foreach ($_POST as $postval) {
if (strpos($postval, 'base64_decode') !== false) {
return true;
}
}
return false;
}
However, it seems that you are inserting POSTed data into the HTML, which is a bad idea.
There is a principle in programming called Don't trust user input. You should:
never ever directly insert user input into the HTML
<p><?php echo $_POST['userdata']; ?></p>
when the user posts something like
"</p><script>location.href='http://otherwebsite';</script>"
your users will be kidnapped!
The same is true for attributes, never use unescaped userdata in attributes:
<a onclick="alert('Hello <?php echo $_POST['username']; ?>!')">
When the user posts "'); location.href='http://spamsite.com';('"
users of your website will get kidnapped!
never ever directly eval user input in PHP:
$x = $_POST['x']; // we expect "5"
$y = $_POST['y']; // we expect "3"
$operator = $_POST['operator']; // we expect "*", "+", "-", "/"
$result = eval($x . $operator . $y);
When the user sends malicious data, he can do everything you can do with your privileges
in PHP. Delete files, send emails, download and install malware to your server, and so on.
never ever run eval on user input in JavaScript (even better, never use eval!)
For the same reasons outlined above, malicious input can run arbitrary code in your client.
If you expect to get JSON data, use JSON.parse(jsondata) to get them as an object (or jQuery.parseJSON(...), or angular.parseJSON(...), or whatever your library provides).
This also extends to "hidden" uses of eval, like new Function("arg", userSuppliedString), event handlers element.onclick = "alert('<user supplied value>')", setTimeout/setInterval calls setTimeout("element.textContent = " + userSuppliedValue, 3000), etc.
Instead of testing for data that you do not want, validate that you received data you do want.
分享
