Chat Posted August 2, 2006 Share Posted August 2, 2006 hi, i've just turned created my first truely dynamic site - my site has this code: [code]$blaa = array_key_exists('blaa', $_GET) ? $_GET['blaa'] : "blee" ; echo '$blaa' ;[/code]...you can type ?blaa=abc at the end of a url to change the echoed word in the site to abc...etci'm very worried about security though. i tried injecting some dodgy code into the url and found the quotes were automatically backslashed somehow, but my injection skills are not as good as some hackers. should i be using some functions to strip bad input? if so, what exactly should i use? help, please! :o Quote Link to comment Share on other sites More sharing options...
Orio Posted August 2, 2006 Share Posted August 2, 2006 If you are only echoing, there's no problem. But if you are using these variables with SQL etc', you should read about SQL injections and how to prevent them.Orio. Quote Link to comment Share on other sites More sharing options...
ronverdonk Posted August 2, 2006 Share Posted August 2, 2006 [color=red]NEVER, EVER trust data that is coming into your site![/color]. Get data is an ideal target for Cross Site Forgery Reqests and other hacks.Whether it is a GET or a POST or a file: never trust it! Always know what data you expect, the data type and format, if possible: the length and, at least, always start with an htmlentities().Ronald ;D Quote Link to comment Share on other sites More sharing options...
Chat Posted August 2, 2006 Author Share Posted August 2, 2006 thanks guys - so i'll look into htmlentities().any other things i should be using? even better, an example? >:( Quote Link to comment Share on other sites More sharing options...
ronverdonk Posted August 2, 2006 Share Posted August 2, 2006 htmlentities in only the bare minimum.It is difficult to give examples, because it all depends on what you expect in your $_GET.E.g. [list][*]do you expect a number with a minimum/maximum value? Check numeric content and values.[*]do you expect a string of 2 characters? Check alfa chars length 2[*]do you expect a string of with predefined content? Check content.[*]do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings[*]etc.[/list] Ronald 8) Quote Link to comment Share on other sites More sharing options...
Chat Posted August 3, 2006 Author Share Posted August 3, 2006 "do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings"yes, i expect strings, sometimes max of 30 characters, sometimes max of 15, including alphanumerics and other characters, maybe including quotes... can anyone recommend a proper validation class or anything else?thanks for help ;) Quote Link to comment Share on other sites More sharing options...
PakiGangsta Posted August 3, 2006 Share Posted August 3, 2006 you can strip_tags($_GET['value']); Quote Link to comment Share on other sites More sharing options...
Chat Posted August 3, 2006 Author Share Posted August 3, 2006 i read somewhere that strip_tags was not as safe as a newer alternative. i can't remember what it was or where i heard it.would you say strip_tags($_GET['value']) in combination with htmlentities($_GET['value']) is safe enough? if so, which should i use first? Quote Link to comment Share on other sites More sharing options...
ronverdonk Posted August 3, 2006 Share Posted August 3, 2006 A very good input filtering class is at www.phpclasses.org at link [url=http://www.phpclasses.org/browse/package/2189.html]http://www.phpclasses.org/browse/package/2189.html[/url]Short description from website: [quote]This class can filter input of stray or malicious PHP, Javascript or HTML tags and to prevent cross-site scripting (XSS) attacks. It should be used to filter input supplied by the user, such as an HTML code entered in form fields.I have tried to make this class as easy as possible to use. You have control over the filter process unlike other alternatives, and can input a string or an entire array to be cleaned (such as $_POST).** SQL Injection feature has been added.[/quote]I have been using this class for some time now, and it is good.Ronald 8) Quote Link to comment Share on other sites More sharing options...
Chat Posted August 5, 2006 Author Share Posted August 5, 2006 seems very interesting, but are there no inbuilt php functions to take care of things, without having to include a long script by some unknown author? Quote Link to comment Share on other sites More sharing options...
ronverdonk Posted August 5, 2006 Share Posted August 5, 2006 Security checking is just a lot more than doing a strip_tags! If you don't want to use proven classes, then at least read some articles by authorities on PHP security, like Chris Shiflett. See [url=http://shiflett.org/articles/security-corner-dec2004]http://shiflett.org/articles/security-corner-dec2004[/url] Quote Link to comment Share on other sites More sharing options...
Chat Posted August 5, 2006 Author Share Posted August 5, 2006 this (official?) link says i should not use strip_tags! it's very confusing. where are all the straight forward examples?http://talks.php.net/show/vrana-security/2 Quote Link to comment Share on other sites More sharing options...
ronverdonk Posted August 5, 2006 Share Posted August 5, 2006 I don't know about straight examples, but I suggest book "Essential PHP Security" by (you got it) Chris Shiflett and published by O'Reilly. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.