- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Reply to: Odd CURL problem
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "Odd CURL problem"
Collapse
-
Eh! All a bit over me 'ead. Only had 2 hacks in many years, one was an iframe in the HTML, think due to using an insecure version of Filezilla. Once bit of fiddling with database due to security errors, fixed that.
Leave a comment:
-
Originally posted by NickFitz View PostEven if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.
Still, either way, you are just getting unvalidated data into your app, the point of using a framework, is to make sure you pass through the input and output validation layers, and then you could use SAST to help confirm this in PRs and such. Basic Globals are bad m'kay advice.
Still, it does sound like the OP has made an attempt to validate, so hopefully he's okay.
Originally posted by NickFitz View PostAnyway, to get back to the matter at hand: as you say, if you're just grabbing stuff from $_POST and sending it along to WorldPay via CURL, it should be all right as they'll have their own checks and balances. You might want to do a bit of sanity checking on it before passing it through just to avoid annoying them, but it'll probably be OK
I haven't seen the actual code he's written though, so who knows, it's possible he's fine.Last edited by fool; 9 April 2019, 09:30.
Leave a comment:
-
Originally posted by NickFitz View PostEven if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.
Leave a comment:
-
Originally posted by TheGreenBastard View PostDid you pay a premium for his services? Master kudos to him if you did. Infect companies with your product and hold the secret key.
Leave a comment:
-
Originally posted by NickFitz View PostThe fact that after six months working with Symfony, in a department filled with extremely smart people who'd been working with it for a year or more who tried to help, I still had to get the bloke who'd invented it to come and fix it, suggests you have the right attitude
Leave a comment:
-
Originally posted by xoggoth View PostI am never keen on using third party libraries/packages, great until something goes wrong, then you have to grapple with masses of unfamiliar and mostly irrelevant code.
Leave a comment:
-
Cheers all. All the input has length limits and and strip_tags when taken by self post and the inputs are all hidden in the redirection page anyway. Think has all the security I can be bothered with.
I am never keen on using third party libraries/packages, great until something goes wrong, then you have to grapple with masses of unfamiliar and mostly irrelevant code. Prefer to stick to my simple stuff. Database is regularly backed up, downloaded to Excel at 2 locations and orders are also in emails/paper invoices.
Leave a comment:
-
Even if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.
Fun fact: when I was at Yahoo! (over a decade ago now) we used Symfony and PHP, but Y! had its own internal build of PHP which had a bunch of extra sanitation built into the construction of $_POST and the others. The raw versions, equivalent to normal PHP, were available under different names (something like $_POST_RAW and so on), but any code which accessed them had to have prior written approval, undergo a special code review by senior Paranoids (the name for Y!'s security specialists), and have the Paranoids' written signoff and be fully documented before it could be put into production.
Also, one day I was having a problem with a Symfony setup, and it so happened the creator of Symfony had been hired by Y! and had just been flown to London for an internal conference we were having. So he came to my desk and sorted it all out for me there and then
(Another speaker knocking around the department that day was Rasmus Lerdorf, the creator of PHP.)
Anyway, to get back to the matter at hand: as you say, if you're just grabbing stuff from $_POST and sending it along to WorldPay via CURL, it should be all right as they'll have their own checks and balances. You might want to do a bit of sanity checking on it before passing it through just to avoid annoying them, but it'll probably be OK
Leave a comment:
-
Originally posted by xoggoth View PostCheers. Only had a quick look so far but I can't see anything online suggesting a problem with post if htmlspecialchars is used. I also apply length limits to values taken on my form. Since the values are being passed to Worldpay, i would expect them to protect against any dodgy data.
The WP code, which I've looked into already, and Symfony do look like too much work, given that this is a tiny family company with negligible profits, more of a hobby really. Ta for the tips though, I will have a look at improvements.
PHP Code:phpinfo(); die();
You want to be using functions like preg_match within php to validate input, as opposed to (as well as) doing it in javascript. Apologies if this is stuff you already know, just a tad worried from your original post.
Leave a comment:
-
The form example is using htmlspecialchars but I'm not convinced this is adequate, though I haven't written PHP in years
The WP code, which I've looked into already, and Symfony do look like too much work, given that this is a tiny family company with negligible profits, more of a hobby really. Ta for the tips though, I will have a look at improvements.
Leave a comment:
-
No answer came the stern reply from the ape.
I wonder if he knows more about div and grad.
Leave a comment:
-
Originally posted by xoggoth View PostTa for reply. Former. Think it came from Worldpay docs and was working fine for years.
Anyway, found a good easy method using self post, pass values to a new page with session and submit form on that page to Worldpay using jscript.
PHP - Redirecting a form with POST variables
Think this method must be used a lot, often seeing pages that say summit like "Click here if not redirected to...
However, your PHP examples are ancient and insecure. You shouldn't be using $_POST or $_GET in PHP code, and if you do for some reason, you need to be validating and escaping your input, which your example isn't doing.
The form example is using htmlspecialchars but I'm not convinced this is adequate, though I haven't written PHP in years.
Backing up a second. Modern PHP should be using a framework and composer to install packages. With composer, you can download the worldpay library to take care of this crap without needing to get into messing with curl directly.
GitHub - Worldpay/worldpay-lib-php: PHP Library for Worldpay REST API
Wonderfully, worldpay lib examples are also grabbing from $_POST, so use a framework. Symfony, High Performance PHP Framework for Web Development. I suspect you're going to decide this is too much work, but you're gonna get hacked doing what you're doing.
Leave a comment:
-
Ta for reply. Former. Think it came from Worldpay docs and was working fine for years.
Anyway, found a good easy method using self post, pass values to a new page with session and submit form on that page to Worldpay using jscript.
PHP - Redirecting a form with POST variables
Think this method must be used a lot, often seeing pages that say summit like "Click here if not redirected to...Last edited by xoggoth; 5 April 2019, 10:50.
Leave a comment:
-
Is the code you've pasted taken from inside your source Web page, or is it perl from your cgi-bin?
Sent from my SM-T280 using Contractor UK Forum mobile app
Leave a comment:
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Leave a comment: