diff --git a/Security-and-coding.md b/Security-and-coding.md index e754a3b..fb3a136 100644 --- a/Security-and-coding.md +++ b/Security-and-coding.md @@ -39,7 +39,17 @@ If the user input variable doesn't exist or matches the expected pattern, nothin When to use `check_input_parameter`? On absolutely **every user input when the expected pattern is known**. -What if we don't have a pattern to check? For example, if you update the title of a photo, you don't have any pattern de match. This time the solution is to "escape" the variable before using it, with the `pwg_db_real_escape_string` function. +What if we don't have a pattern to check? For example, see this example: + +```php +$query = ' +DELETE FROM '.OLD_PERMALINKS_TABLE.' + WHERE permalink=\''.$_GET['delete_permanent'].'\' + LIMIT 1 +;'; +``` + +Here you have no pattern to match, you don't know what's coming in `$_GET['delete_permanent']`. The problem is that it could countain something like `whatever'; DELETE FROM users WHERE username != '`; This time the solution is to "escape" the variable before using it, with the `pwg_db_real_escape_string` function. ```php $query = ' @@ -55,5 +65,24 @@ TODO explain what it is, when it's a problem and when it's not a problem but a f ## CSRF -TODO explain what a CSRF is -TODO explain how `pwg_token` protects from CSRF attacks \ No newline at end of file +Read a full explanation on [CSRF on Wikipedia](https://en.wikipedia.org/wiki/Cross-site_request_forgery). Also an explanation, but in pictures on [CSRF on PortSwigger](https://portswigger.net/web-security/csrf) + +So in Piwigo we have implemented the `pwg_token` solution. Here is how it works. First in the form: + +``` + +``` + +In the PHP, you send the template variable like this: + +``` +$template->assign('PWG_TOKEN', get_pwg_token()); +``` + +And this is how you check the token is valid when submitting the form: + +``` +check_pwg_token(); +``` + +You will find many use case in Piwigo code. Now you know how to use the `pwg_token`, you need to know "when" to use it: everywhere you delete data or edit data. If you want to make things even more secure you can use `pwg_token` on data creation too. \ No newline at end of file