[SOLVED] How to stop this injection?

[rondog]

I am building a site and using $_GET to populate some pages.

 

/index.php?do=video&id=1,12

 

If I were to type in the address bar:

 

/index.php?do=video&id=1,' OR id = '12

 

It does practically the same thing!

 

Now I know the example I provided wont really do any harm, but it opens the door to many more threats.

 

How can I trim my id to only contain numbers since thats what really all will ever be in the id?

[DarkWater]

$id = (int) $_GET['id'];

 

Also, make sure to use mysql_real_escape_string anyway.

[trq]

How can I trim my id to only contain numbers since thats what really all will ever be in the id?

 

But your first example contains a comma?

[dezkit]

make an if statement with regex, if the $_GET["id"] has any commas, letters, or what not, display an error, and then and else statement getting the data from the database.

 

ez pz lemon squeezy

[rondog]

How can I trim my id to only contain numbers since thats what really all will ever be in the id?

 

But your first example contains a comma?

 

right yes..numbers and commas I guess hah..instead of doing something like id1=1&id2=12 I am using the commas and exploding them to an array.

[dezkit]

<?php
$id = $_GET["id"];
if(preg_match("/^[0-9]+$/", $id) > 0){
// mysql queries and shit
} else {
echo "errors";
}
?>

[DarkWater]

First of all, dezkit, you forgot delimeters, and second of all, you forgot commas.  Edit: And you only allowed 1-9 and not 0. =P

 

/[\d,]/

[dezkit]

lol its like you love correcting my mistakes

[BlueSkyIS]

we all like correcting everyone's mistakes. that's the point, isn't it? 

[rondog]

<?php
$id = $_GET["id"];
if(preg_match("/^[0-9]+$/", $id) > 0){
// mysql queries and shit
} else {
echo "errors";
}
?>

 

cool man that seems to be working. Two questions, where in their is it allowing commas and what is the $ sign for?

[DarkWater]

rondog, use:

 

^/[\d,]/$

 

As your regex.  Not the one he gave.

[dezkit]

idk why but i get an error for what you give me dw

[rondog]

^/[\d,]/$

 

what does that even mean ?

[kratsg]

^/[\d,]/$

 

Oddly enough, I cringe at this :-P

 

I'm not exactly sure why the ^ and $ are on the outsides, or even why they belong in this RegEx.

 

Are you trying to match anything that starts with EITHER a comma or a digit?

/^[\d,]/

 

Are you trying to see if there is anything that is not a comma OR digit?

/[^\d,]*/

(the * meaning 0 or more times, so if there is at least one character that is not a comma or digit, it will match)

[rondog]

basically my links can route to three different areas

 

index.php?do=video&id=1

index.php?do=video&id=1,7

index.php?do=video&id=1,7,17

 

those numbers just being examples..I need to make sure that only numbers and commas are in the id string in the address bar.

[dezkit]

wait, so you DO want commas in the url???

[rondog]

yes I said that..after my first post heh

[kratsg]

Use a preg_match function. it returns either 0/1 (respectively meaning the number of matches at minimum). If it cannot find a match, it returns 0, otherwise 1 (it stops after finding one match).

 

$pattern = "/[^\d,]*/";//this will look for anything that is NOT a digit OR a comma
if(!preg_match($pattern,$_GET["id"])){
die('OMFG! Someone just tried to hax0r j00!');
//you have at least one match
}

 

Just insert that die function, if something's wrong, it stops the script right then and there, otherwise, it's all ez squeezy lemon peasy o_o (to quote someone)

[dezkit]

then you might wanna use

<?php
$id = $_GET["id"];
if(!preg_match("/^[0-9\,]+$/", $id) > 0){
echo "ERROR";
} else {
// mysql stuff
}
?> 

[rondog]

I respect your guys work and time on helping me out, but what is the best one to use?

 

dezkit's: "/^[0-9\,]+$/"

 

or

 

kratsg's: "/[^\d,]*/"

 

They look similar, but I am having a hard time grasping what these mean..I am thinking the \d means digit so maybe its the same as 0-9?

 

[kratsg]

\d is called a character class: http://evolt.org/RegEx_Basics?from=50&comments_per_page=50

 

\d  matches a digit, same as [0-9]

\D matches a non-digit, same as [^0-9]

\s matches a whitespace character (space, tab, newline, etc.)

\S matches a non-whitespace character

\w matches a word character

\W matches a non-word character

\b matches a word-boundary (NOTE: within a class, matches a backspace)

\B matches a non-wordboundary

[dezkit]

dezkit's

[rondog]

\d is called a character class: http://evolt.org/RegEx_Basics?from=50&comments_per_page=50

 

\d  matches a digit, same as [0-9]

\D matches a non-digit, same as [^0-9]

\s matches a whitespace character (space, tab, newline, etc.)

\S matches a non-whitespace character

\w matches a word character

\W matches a non-word character

\b matches a word-boundary (NOTE: within a class, matches a backspace)

\B matches a non-wordboundary

 

Ahh very helpful man. I think that link could help me out. I appreciate it guys thanks!