Using $_GET or $_POST to do simple hacking

[KingOfHeart]

I'm doing this on my website to see what you can do with $_GET and $_POST exposed.

 

I know you can use it for mysql hacking (mind pasting a few examples)

but can it be used for creating files?

Or how about echoing the entire php file as plain html?

 

Any help would be appreciated so I know what a hacker could do to my site if I exposed any of these by acident.

[pkSML]

Well, all this would depend on what you do with it. If you rely on GET or POST data for filenames, you're in for some trouble. MySQL injection can leak information from your database.

 

I'd suggest that you read up on PHP security. There are gazillions of articles on the net about it.

 

Since PHP is very powerful, the potential for bad and good is all in the hands of a security-conscious coder.

[ohdang888]

"I know you can use it for mysql hacking (mind pasting a few examples)"

as long as you use mysql_real_escape_string($var) on everything on the database you should be fine

 

"but can it be used for creating files?"

not if the script has nothing to do with creating files

 

"Or how about echoing the entire php file as plain html?"

Nope. Never heard of something like this.

 

 

You gotta remember that POST and GEt vars are only used when your script tells them too. its like you can put index.php?show=1 and all their code shows up. Hacking has to do with guessing what they are doing with the get and post vars