DokuWiki

It's better when it's simple

User Tools

Site Tools


devel:security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
devel:security [2015-11-07 16:19]
50.141.100.133 [Security Guidelines for Plugin Authors]
devel:security [2016-06-20 20:34] (current)
139.174.200.55 [Prevent CSRF] Typo
Line 10: Line 10:
   * Cross Site Request Forgery (CSRF) -- tricks to let you self do unknowingly harmful actions on your site    * Cross Site Request Forgery (CSRF) -- tricks to let you self do unknowingly harmful actions on your site 
   * Remote Code Inclusion -- includes code on server that's executed there   * Remote Code Inclusion -- includes code on server that's executed there
-  * Information leaks -- there is too much information ​showed+  * Information leaks -- there is too much information ​shown
   * SQL injection -- one can do unwanted requests on your data   * SQL injection -- one can do unwanted requests on your data
  
Line 199: Line 199:
 </​code>​ </​code>​
  
-What the user's browser ​will do then?+What will the user's browser do then?
  
 The browser will process this image as any other and will send a request to this URL. Your plugin will then see that $_GET['​yn'​] is set and will call the do_something_with_yn() function. The browser will process this image as any other and will send a request to this URL. Your plugin will then see that $_GET['​yn'​] is set and will call the do_something_with_yn() function.
Line 218: Line 218:
 </​code>​ </​code>​
  
-Do you see the first input? Yes? Good. Now you have to check the security token when you recieve ​the form, before processing it:+Do you see the first input? Yes? Good. Now you have to check the security token when you receive ​the form, before processing it:
  
 <code php> <code php>
Line 228: Line 228:
 As the malicious website will never find the value of the "​sectok"​ hidden input, your form is no longer vulnerable to CSRF. As the malicious website will never find the value of the "​sectok"​ hidden input, your form is no longer vulnerable to CSRF.
  
-**Note:** If the security token is not valid, the checkSecurityToken() function displays a message which inform ​the user.+**Note:** If the security token is not valid, the checkSecurityToken() function displays a message which informs ​the user.
  
  
devel/security.1446909580.txt.gz ยท Last modified: 2015-11-07 16:19 by 50.141.100.133