Extended Basic 7

Learn how to do code review

Re: Extended Basic 7

Post by Monkey_master on Fri Aug 31, 2012 4:05 am
([msg=69074]see Re: Extended Basic 7[/msg])

When I try to enter the code , it says " Error! CSRF attack blocked " What's with that?
Monkey_master
New User
New User
 
Posts: 1
Joined: Wed Aug 01, 2012 6:53 am
Blog: View Blog (0)


Re: Extended Basic 7

Post by ChronosX on Thu Jan 10, 2013 5:15 pm
([msg=72185]see Re: Extended Basic 7[/msg])

This mission is bad. Why? Using <?= ?> tags makes the code more unreadable and it isn't on the first page of the PHP reference linked below. You don't need $_SERVER['PHP_SELF'], leaving it blank like <form action=""> will work fine. This also mission suggests that using htmlspecialchars() will prevent XSS it might in this case but often it is not enough.

Good resources:

http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/
http://www.wonko.com/post/html-escaping
http://blog.astrumfutura.com/2012/03/a-hitchhikers-guide-to-cross-site-scripting-xss-in-php-part-1-how-not-to-use-htmlspecialchars-for-output-escaping/
ChronosX
New User
New User
 
Posts: 8
Joined: Mon Dec 20, 2010 4:31 pm
Blog: View Blog (0)


Re: Extended Basic 7

Post by fashizzlepop on Thu Jan 10, 2013 6:58 pm
([msg=72187]see Re: Extended Basic 7[/msg])

The point of this mission isn't to show good coding practices. In fact, quite the opposite. It is geared toward having you read other people's code, spot bugs, and patch them.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2304
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: Extended Basic 7

Post by jeremia on Thu Jan 10, 2013 8:33 pm
([msg=72189]see Re: Extended Basic 7[/msg])

i finally got it, i've typed the solution 5 times just because i added a ; at the and of my php =)
please, fix your validation code xD
jeremia
New User
New User
 
Posts: 1
Joined: Thu Jan 10, 2013 8:27 pm
Blog: View Blog (0)


Re: Extended Basic 7

Post by fashizzlepop on Fri Jan 11, 2013 2:49 am
([msg=72194]see Re: Extended Basic 7[/msg])

jeremia wrote:i finally got it, i've typed the solution 5 times just because i added a ; at the and of my php =)
please, fix your validation code xD

Again, you should try and change as little as possible and stick to the conventions.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2304
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: Extended Basic 7

Post by Pyrox6969 on Sat Jan 19, 2013 10:37 am
([msg=72373]see Re: Extended Basic 7[/msg])

WOW you guys think you got it bad, Here is a big hint for anyone like me

USE ' ' as your quotes and NOT " "

spent hours trying to get this thing, and that was the problem the whole time. wow time for a cig, im pissed
Pyrox6969
New User
New User
 
Posts: 1
Joined: Sat Jan 19, 2013 3:24 am
Blog: View Blog (0)


Re: Extended Basic 7

Post by fashizzlepop on Sun Jan 20, 2013 9:01 am
([msg=72409]see Re: Extended Basic 7[/msg])

Pyrox6969 wrote:WOW you guys think you got it bad, Here is a big hint for anyone like me<br><br>USE ' ' as your quotes and NOT " " <br><br>spent hours trying to get this thing, and that was the problem the whole time. wow time for a cig, im pissed


That's why for these missions if your solution isn't working, make sure you are using the conventions set forth in the rest of the mission.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2304
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: Extended Basic 7

Post by voodooKobra on Sun Nov 17, 2013 3:30 am
([msg=78212]see Re: Extended Basic 7[/msg])

I think removing the action="" is probably the best practice for patching it, since browsers will automatically forward the user to the correct page. (This isn't an accepted solution, however.)
voodooKobra
New User
New User
 
Posts: 1
Joined: Sat Nov 16, 2013 9:53 pm
Blog: View Blog (0)


Re: Extended Basic 7

Post by CovertMagic on Thu Feb 27, 2014 1:23 pm
([msg=79674]see Re: Extended Basic 7[/msg])

I too, am not old enough for this mission, I think!

HTML4 - action is "required" (though afaik browsers will default correctly):
http://www.w3.org/TR/html4/interact/forms.html#h-17.3

HTML5 - not required, features an example without it:
http://www.w3.org/html/wg/drafts/html/master/forms.html#attr-fs-action

and therefore I favour deleting spurious/vulnerable code over patching...
CovertMagic
New User
New User
 
Posts: 8
Joined: Fri Feb 21, 2014 6:23 pm
Blog: View Blog (0)


Previous

Return to Extended Basics

Who is online

Users browsing this forum: No registered users and 0 guests