-
- 368 Posts
I’m not using any AJAX and my third-party script is just the Authorize SDK. Could you dumb down your other points a little? I’m kinda lost :p
Jason
As opengeek has mentioned
above, MODx itself sanitizes all the requests trough its index.php gateway, with an option.
What I mean about ’3rd party’ is the part of your scripts that does not belong to MODx (+extras) and your own script.
I’ve never used
http://developer.authorize.net/ , but keep your eyes on their
security notifications.
To simplify your work, you can use some ready-to-use 3rd party classes to sanitize your input.
I’ve used
htmLawed.
I bet you’re using other scripts for several purposes, like Member Management, or Newsletter.
If you’re using those scripts that you find from internet (like from
http://phpclasses.org), audit the code.
Or, are you asking about the ’webroot’?
Rico
Genius is one percent inspiration and ninety-nine percent perspiration.
Thomas A. Edison
MODx is great, but knowing how to use it well makes it perfect!
www.virtudraft.com
Security, security, security! |
Indonesian MODx Forum |
MODx Revo's cheatsheets |
MODx Evo's cheatsheets
Author of
Easy 2 Gallery 1.4.x,
PHPTidy,
spieFeed,
FileDownload R,
Upload To Users CMP,
Inherit Template TV,
LexRating,
ExerPlan,
Lingua,
virtuNewsletter,
Grid Class Key,
SmartTag,
prevNext
Maintainter/contributor of
Babel
Because it's hard to follow all topics on the forum, PING ME ON TWITTER
@_goldsky if you need my help.
-
- 368 Posts
Okay, I think the light is beginning to break here. Correct me if I’m wrong: As long as my script is a snippet that loads through index.php, i.e. through MODx itself, and cannot be accessed directly, MODx handles essential sanitization of $_POST (with the capability to allow special characters in $_POST if desired, which I have disabled in system settings). Beyond that, we’re looking at other potential security issues with PHP scripts - not $_POST exploits.
Actually the only 3rd-party classes coming into play here, apart from the aforementioned Authorize SDK, are those provided by Visioncart team. I have modified their fledgling Authorize module some - changing $_REQUEST to $_POST for one less attack vector.
Jason
exactly.
Ow, one more thing.
Just be careful when you’re filtering numbers.
Price uses float number.
Rico
Genius is one percent inspiration and ninety-nine percent perspiration.
Thomas A. Edison
MODx is great, but knowing how to use it well makes it perfect!
www.virtudraft.com
Security, security, security! |
Indonesian MODx Forum |
MODx Revo's cheatsheets |
MODx Evo's cheatsheets
Author of
Easy 2 Gallery 1.4.x,
PHPTidy,
spieFeed,
FileDownload R,
Upload To Users CMP,
Inherit Template TV,
LexRating,
ExerPlan,
Lingua,
virtuNewsletter,
Grid Class Key,
SmartTag,
prevNext
Maintainter/contributor of
Babel
Because it's hard to follow all topics on the forum, PING ME ON TWITTER
@_goldsky if you need my help.
Tutorial covers Cross Site Scripting (XSS), Cross Site Forgery Requests (CSFR), SQL Injection, globals, and much more!
http://videos.code2design.com/video/play/PHP/11
Rico
Genius is one percent inspiration and ninety-nine percent perspiration.
Thomas A. Edison
MODx is great, but knowing how to use it well makes it perfect!
www.virtudraft.com
Security, security, security! |
Indonesian MODx Forum |
MODx Revo's cheatsheets |
MODx Evo's cheatsheets
Author of
Easy 2 Gallery 1.4.x,
PHPTidy,
spieFeed,
FileDownload R,
Upload To Users CMP,
Inherit Template TV,
LexRating,
ExerPlan,
Lingua,
virtuNewsletter,
Grid Class Key,
SmartTag,
prevNext
Maintainter/contributor of
Babel
Because it's hard to follow all topics on the forum, PING ME ON TWITTER
@_goldsky if you need my help.