Assigned We 7/16/2008, due Fr 7/25 at 9pm. 50 points.
http://www.cs.nyu.edu/courses/summer08/G22.3033-002/
These are example solutions. Please keep in mind that often, there is not just one correct solution to a question. If you come up with different answers, then it may be that both your answers and these answers here are correct. Of course, these answers here may also contain mistakes. If you spot a mistake, please let me know so I can correct it.
result motivation
1 success same domain+protocol+port
2 success same domain+protocol+port
3 failure different protocol ftp
4 failure different domain www.columbia.edu
5 success same domain+protocol+port (port 80 is default)
6 failure different port 8080
7 failure same domain nyu.edu but different server www2
$name comes from user input,
for example, from $_GET['name']. Then, the attacker can provide
the following input:
foo'; drop table custid; --
This is the same input as on the slides. If embedded in SQL, it will end the current string and statement, then start a new statement that destroys a table.
addslashes. It is easy to reimplement from first principle:
function my_addslashes($str) {
$badchar = array("\\", '"', "'", "\0");
$replace = array();
foreach ($badchar as $c) array_push($replace, "\\" . $c);
$result = str_replace($badchar, $replace, $str);
return $result;
}
Somewhere along the way of information flowing from user input to HTML
output, the data must be sanitized. PHP already provides the function
htmlspecialchars for this purpose. If written from first
principle, it looks a lot like the SQL sanitization function from the
previous question:
function my_htmlspecialchars($str) {
$badchar = array("&", '"', "'", "<", ">");
$replace = array("&", """, "'", "<", ">");
$result = str_replace($badchar, $replace, $str);
return $result;
}