Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

csrf protection in a search function
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x
Author Message
neralex
Site Admin



Joined: Aug 22, 2007
Posts: 1772
PostPosted: Sun May 12, 2013 10:31 am Reply with quote
I'm trying to build a search-function and i have little bit played with the csrf protection methods. I have a pager function, that pass the needed stuff with hyperlinks (GET) into my functions. I thought it could be cool to protect the search query before i pass it back into my function.

Code:
if (!isset($search)) $search = '';


if (!isset($go)) $go = '';


if (!isset($offset)) $offset = '';





switch($op) {





   case 'search':


   search($offset, $go, $search);


   break;





}





function search($offset, $go, $search) {


   global $db, $prefix, $op, $module_name;


   if ($search != '') {


      csrf_check();


      define('paranoid_search', true);


   }


   $path = 'modules.php?name=' . $module_name . '&op=' . $op;


   include_once 'header.php';


   OpenTable();


   echo '<div class="text-center">' , PHP_EOL


      , '<form method="post" action="modules.php?name=' , $module_name , '&amp;op=' , $op , '">' , PHP_EOL


      , '<input type="text" name="search" />&nbsp;' , PHP_EOL


      , '<input type="submit" value="' , _SEARCH , '" />' , PHP_EOL


      , '</form>' , PHP_EOL


      , '</div>' , PHP_EOL;


   $search_filter = $db->sql_escape_string(check_html($search,'nohtml'));


   $query = 'SELECT `title` FROM `' . $prefix . '_mytable` WHERE `title` LIKE \'%' . $search_filter . '%\' ORDER BY `id` ASC';


   pager($path, $offset, $go);


   CloseTable();


   include_once 'footer.php';


}





function pager($path, $offset, $go) {


   if (defined('paranoid_search')) {


      $token = 'class="rn_csrf" ';


   } else {


      $token = '';


   }


   echo '<a ' , $token , 'href="' , $path , '&amp;offset=' , $offset , '&amp;go=' , $go , '">1</a>' , PHP_EOL;


}


Yes ok, in this case i get a very long url as result in the pager hyperlink but the search function should be used only by logged users.
Is it to paranoid to do this or give it a better way to ride on the token?

_________________
Github: RavenNuke 
View user's profile Send private message
Palbin
Site Admin



Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania
PostPosted: Sun May 12, 2013 12:09 pm Reply with quote
I would say that this is probably "paranoid". The reason i say this is that typical xss protection is to stop the submission of data that if accepted would be saved or change something. And since this is just displaying data ....

If you want to protect links this is the only way. I guys you could use a cookie to store the token and then pass it back to the proper functions (not csrf_check()). You would have to review csrf-magic.php.

_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. 
View user's profile Send private message
neralex
PostPosted: Sun May 12, 2013 12:21 pm Reply with quote
Ok i understand, thank you for the reply.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©