worried about security with $_GET

[Chat]

hi, i've just turned created my first truely dynamic site - my site has this code: [code]$blaa = array_key_exists('blaa', $_GET) ? $_GET['blaa'] : "blee" ; echo '$blaa' ;[/code]

...you can type ?blaa=abc at the end of a url to change the echoed word in the site to abc...etc

i'm very worried about security though. i tried injecting some dodgy code into the url and found the quotes were automatically backslashed somehow, but my injection skills are not as good as some hackers. should i be using some functions to strip bad input? if so, what exactly should i use?

help, please!  :o

[Orio]

If you are only echoing, there's no problem. But if you are using these variables with SQL etc', you should read about SQL injections and how to prevent them.

Orio.

[ronverdonk]

[color=red]NEVER, EVER trust data that is coming into your site![/color]. Get data is an ideal target for Cross Site Forgery Reqests and other hacks.

Whether it is a GET or a POST or a file: never trust it! Always know what data you expect, the data type and format, if possible: the length and, at least, always start with an htmlentities().

Ronald  ;D

[Chat]

thanks guys - so i'll look into htmlentities().

any other things i should be using? even better, an example?  >:(

[ronverdonk]

htmlentities in only the bare minimum.
It is difficult to give examples, because it all depends on what you expect in your $_GET.
E.g.
[list]
[*]do you expect a number with a minimum/maximum value? Check numeric content and values.
[*]do you expect a string of 2 characters? Check alfa chars length 2
[*]do you expect a string of with predefined content? Check content.
[*]do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings
[*]etc.
[/list]

Ronald  8)

[Chat]

"do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings"

yes, i expect strings, sometimes max of 30 characters, sometimes max of 15, including alphanumerics and other characters, maybe including quotes...

can anyone recommend a proper validation class or anything else?

thanks for help
;)

[PakiGangsta]

you can strip_tags($_GET['value']);

[Chat]

i read somewhere that strip_tags was not as safe as a newer alternative. i can't remember what it was or where i heard it.

would you say strip_tags($_GET['value']) in combination with htmlentities($_GET['value']) is safe enough? if so, which should i use first?

[ronverdonk]

A very good input filtering class is at www.phpclasses.org at link
[url=http://www.phpclasses.org/browse/package/2189.html]http://www.phpclasses.org/browse/package/2189.html[/url]

Short description from website: [quote]This class can filter input of stray or malicious PHP, Javascript or HTML tags and to prevent cross-site scripting (XSS) attacks. It should be used to filter input supplied by the user, such as an HTML code entered in form fields.

I have tried to make this class as easy as possible to use. You have control over the filter process unlike other alternatives, and can input a string or an entire array to be cleaned (such as $_POST).

** SQL Injection feature has been added.[/quote]

I have been using this class for some time now, and it is good.

Ronald  8)

[Chat]

seems very interesting, but are there no inbuilt php functions to take care of things, without having to include a long script by some unknown author?

[ronverdonk]

Security checking is just a lot more than doing a strip_tags! If you don't want to use proven classes, then at least read some articles by authorities on PHP security, like Chris Shiflett. See [url=http://shiflett.org/articles/security-corner-dec2004]http://shiflett.org/articles/security-corner-dec2004[/url]

[Chat]

this (official?) link says i should not use strip_tags! it's very confusing. where are all the straight forward examples?

http://talks.php.net/show/vrana-security/2

[ronverdonk]

I don't know about straight examples, but I suggest book "Essential PHP Security" by (you got it) Chris Shiflett and published by O'Reilly.