search

shivamdixit / WebGoatPHP

WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases.
http://webgoatphp.com/
Apache License 2.0
40 stars 31 forks source link

Secure Coding Mode: Specifying which lines to display #23

Open shivamdixit opened 10 years ago

shivamdixit commented 10 years ago

In secure coding mode, developer is specifying start and end line number that will be available for editing. (In function isSecureCodingAllowed()) However this is not the best way because if in future developer modifies the code, line numbers will change and wrong lines will be displayed to the user.

abiusx commented 10 years ago

wouldn’t the developer update metadata after changing the files? or can he define a file which the user can edit, and keep the rest un-editable? -A On Jul 19, 2014, at 10:59 AM, Shivam Dixit notifications@github.com wrote:

In secure coding mode, developer is specifying start and end line number that will be available for editing. (In function isSecureCodingAllowed()) However this is not the best way because if in future developer modifies the code, line numbers will change and wrong lines will be displayed to the user.

— Reply to this email directly or view it on GitHub.

shivamdixit commented 10 years ago

That is correct. I thought there might be some other alternative also. Thanks!

captn3m0 commented 10 years ago

Not sure if this would be a correct solution, but you can try using special comments with a custom format that you specify to allow the dev to specify editable portions. For instance :

<?php
include 'somestuff.php';
/** EDITABLE:BEGIN */
$id=$_GET['id'];
$result = mysql_query("SELECT * FROM users WHERE id='$id'");
/** EDITABLE:END */
?>

You would have to do some work with parsing the files, but the end result would be an easier system for developers to write.

shivamdixit commented 10 years ago

@captn3m0 Looks like a good idea to me!