0

Sorry if already been explained elsewhere, I have searched and searched and not found the answer.

Initially, seeing this Notice makes me want to fix it, but upon reflection - what harm can come from it?

In the example below, how could someone Maliciously take advantage? If they couldn't perhaps someone could give me an example where this 'Undefined index' notice may cause problems?

if($_GET['action']=="update"){   ~code~  }

I know the above example could be fixed with as simple as using 'isset', but I have other areas with Notices such as the below revolving around a form with the code similar to:

print "<input value='".$_POST['value']."'>";

Is there any possibility of an advanced user to use a vulnerability?

Sidupac
  • 25
  • 4
  • 1
    confusing you use $_GET and then use $_POST.. – Drixson Oseña Oct 03 '13 at 08:18
  • using unsanitized gets and posts is already a big vulnerability, other than that, thoses notices will give some meta informations to you hacker that he can benefit from. in general on a production system set error_reporting to nothing. – Gar Oct 03 '13 at 08:18
  • You should turn off user visible warnings in production anyway. But it depends on your context type how anything is interpreted. The default PHP error handling will HTML encode stuff so that you don't have the risk of injection in errors (obviously this code is vulnerable to injection when you DON'T have errors). But I'd just write all my code to never emit any notices/warnings/errors and then ALSO turn off error reporting. – Janus Troelsen Oct 03 '13 at 08:19
  • Sorry should have clarified; Values get sanitized before sql but I'm aware of javascript/HTML injection on the above code so I have taken the website down and using XAMPP to fix it. In my XAMPP setup I have all errors on but on the server all errors are logged instead. – Sidupac Oct 03 '13 at 08:56
  • Also, I acknowledged that the 'Why should I fix E_NOTICE errors' question would have helped a lot. I was mainly searching for vulnerabilities keywords etc. – Sidupac Oct 03 '13 at 09:13

3 Answers3

3

A notice isn't a warning about a security issue. It helps preventing an error in your logic. You're asking for this index, but it does not exist :

  • Should it exist ? Why haven't you set it before ?
  • Has it been deleted ? Why ? Should you still be able of accessing it ?
  • Has the key changed ? Why haven't you taken that change into account when calling action ?

This is just PHP being nice : this doesn't exist, I'll initialise it, but weren't you expecting me to find something ?

Keep in mind that PHP is a very lax. It's meant to create applications quickly, keeping the programmer focused on the logic, not the details. Notices (recently implemented) are a way to make the logic cleaner, without stopping the whole program at the first little mistake.

Of course, this is a very good habit : fix all your warnings, errors and notices, to make sure your logic acts exactly how you want it to. Computers are stupid, that's a fact. They will always do as you ask, even when you ask them silly things.

John WH Smith
  • 2,743
  • 1
  • 21
  • 31
  • Ahhh I see so it is more of a code issue rather than a vulnerability issue. This would explain why I couldn't find any vulnerabilities! Thank you, I will still fix them but at least I know it won't be top priority – Sidupac Oct 03 '13 at 08:45
  • Well, if your logic is failing, case-specific security vulnerabilities could appear : something happens but shouldn't, something is printed but shouldn't be, and so on :) – John WH Smith Oct 03 '13 at 12:31
1

In general: if somebody can see your PHP messages (no matter notices/warnings) - he will know then some information about your script: possibly, it's structure, used variables and parameters names e t.c. - i.e. such kind of information that in normal case should not be seen. With that information it's much more easier to perform some harmful actions.

However, it's not only about security. Having notices in any case indicates that something possibly went wrong - and your attention should be at that points. My suggestion is: you should write code, which will not produce notices/warnings with any error level.

Alma Do
  • 37,009
  • 9
  • 76
  • 105
  • Can any error can be caught? or does that only apply to non-fatal ones? – Flosculus Oct 03 '13 at 08:21
  • What do you mean 'caught' - it's up to you how you will configure your application server. If it will show errors/warnings/notices to visitors - then they would be 'caught' by simple look into page. – Alma Do Oct 03 '13 at 08:24
  • caught as in try/catch statements. – Flosculus Oct 03 '13 at 08:26
  • @Flosculus, notices and warnings cannot be caught in a `catch`, no. However, the best approach is to avoid them in the first place. – halfer Oct 03 '13 at 08:39
1

An undefined index error is not related to security issues. What it means is that you have not properly initialized a variable before using it in an expression. Regardless of the security implications you should fix it because it means your code is incorrect.

Now back to your initial concern, any data that comes from user input should be sanitized before storing in a database. There are various techniques you can employ. These range from type casting to escaping data with functions like mysqli_real_escape_string() and strip_tags() to using prepared statements. You should read up on this topic. Data sanitization isn't a "one-size-fits-all" kind of thing. Different strategies can be used depending upon the nature of the data and how you're using it.

Neil Girardi
  • 4,533
  • 1
  • 28
  • 45