Index code

registered · Posted: Fri Sep 21, 2007 1:34 am

Well I've analyzed some of the patches and changes for this version.

I'm wondering if the new redirect code is better.
I've not particular researched HEADER redirects over META redirects

This is the new code

Code:




   $url = urldecode($url);


   echo "{meta http-equiv=\"refresh\" content=\"0; url=$url\">";

There's an is_admin check around it, so it should be less exploitable. But what are the context of using this, esp since $url is urldecoded but not HTML escaped

---

A minor catch as well, this is the new "referral" protection code added to stop basic SQL injections

Code:




    if (eregi("nuke_", $referer) && eregi("into", $referer) && eregi("from", $referer)) {


       $referer = "";


    }

Sadly, the problem is FB fails to fix the underlying problem. $referrer is not database-escaped!!

The 8.1 Patched 3.4 files does add a correct addslashes. Again, FB failing to patch the files IN FULL. If he would only do that and stop adding junk code.

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Ah, but you're assuming he wrote that...

As for HEADER vs META, I'd have to compare the two and do some research before commenting. But, given the track record, I'd be suspicious.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

HEADER can be used anywhere in your code but must be written before anything is sent to your browser.

META must be placed in the <head></head> section.

Here's some good info on it.
http://www.webmasterworld.com/forum88/1011.htm