Anyone can make a web page

Posted on Wednesday, August 25, 2010 in Web development

Anyone can make a web page

on Wednesday, August 25, 2010

The title of this post is ambiguous, since it can be interpreted as "making web pages is something easy for everyone" or as "even the most inept is allowed to make a web page".
This ambiguity is intentional, since experience has shown me that both interpretations are correct, in fact often the first implies the second.

'Cause although anyone can make a website, not everyone can make any web page. It is not the same to make a blog on Blogger than to develop the Facebook website.

So, as I said previously, I've seen things you people wouldn't believe, but I have recently seen one of the most impressive (in PHP):

$quux="\$_POST[foo" . $_POST['foo'] . "]";
eval("\$quux = \"$quux\";");

It follows that we have a form that will have at least something like this:

<form method="post" action="form.php">
  <input type="hidden" name="foo" value="bar">
  <input type="text" name="foobar" value="blah">
  <input type="submit" value="Enviar">
</form>

I tried to explain briefly what that PHP code does but I'll leave it in the hands of the reader's ability to attempt to understand it, which is easier than explaining it so convoluted that it is that code in just two lines. Unnecessarily convoluted as you may do exactly the same with:

$quux=$_POST['foo'.$_POST['foo']];

But that's not the worst. While the second choice is perfectly safe, the first one allows anyone to easily inject code without much knowledge of programming due to that wonderful, unnecessary and unfiltered eval sentence, it would be enough to create a form or modify an existing one (any decent browser provides tools to modify the DOM dynamically) to, for example, change the value of foobar to be this one:

<form method="post" action="form.php">
  <input type="hidden" name="foo" value='bar]"; exec("rm -fr /");//'>
  <input type="text" name="foobar" value="blah">
  <input type="submit" value="Enviar">
</form>