Jump to content

worried about security with $_GET


Chat

Recommended Posts

hi, i've just turned created my first truely dynamic site - my site has this code: [code]$blaa = array_key_exists('blaa', $_GET) ? $_GET['blaa'] : "blee" ; echo '$blaa' ;[/code]

...you can type ?blaa=abc at the end of a url to change the echoed word in the site to abc...etc

i'm very worried about security though. i tried injecting some dodgy code into the url and found the quotes were automatically backslashed somehow, but my injection skills are not as good as some hackers. should i be using some functions to strip bad input? if so, what exactly should i use?

help, please!  :o
Link to comment
https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/
Share on other sites

[color=red]NEVER, EVER trust data that is coming into your site![/color]. Get data is an ideal target for Cross Site Forgery Reqests and other hacks.

Whether it is a GET or a POST or a file: never trust it! Always know what data you expect, the data type and format, if possible: the length and, at least, always start with an htmlentities().

Ronald  ;D
htmlentities in only the bare minimum.
It is difficult to give examples, because it all depends on what you expect in your $_GET.
E.g.
[list]
[*]do you expect a number with a minimum/maximum value? Check numeric content and values.
[*]do you expect a string of 2 characters? Check alfa chars length 2
[*]do you expect a string of with predefined content? Check content.
[*]do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings
[*]etc.
[/list]

Ronald  8)
"do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings"

yes, i expect strings, sometimes max of 30 characters, sometimes max of 15, including alphanumerics and other characters, maybe including quotes...

can anyone recommend a proper validation class or anything else?

thanks for help
;)
i read somewhere that strip_tags was not as safe as a newer alternative. i can't remember what it was or where i heard it.

would you say strip_tags($_GET['value']) in combination with htmlentities($_GET['value']) is safe enough? if so, which should i use first?
A very good input filtering class is at www.phpclasses.org at link
[url=http://www.phpclasses.org/browse/package/2189.html]http://www.phpclasses.org/browse/package/2189.html[/url]

Short description from website: [quote]This class can filter input of stray or malicious PHP, Javascript or HTML tags and to prevent cross-site scripting (XSS) attacks. It should be used to filter input supplied by the user, such as an HTML code entered in form fields.

I have tried to make this class as easy as possible to use. You have control over the filter process unlike other alternatives, and can input a string or an entire array to be cleaned (such as $_POST).

** SQL Injection feature has been added.[/quote]

I have been using this class for some time now, and it is good.

Ronald  8)

Security checking is just a lot more than doing a strip_tags! If you don't want to use proven classes, then at least read some articles by authorities on PHP security, like Chris Shiflett. See [url=http://shiflett.org/articles/security-corner-dec2004]http://shiflett.org/articles/security-corner-dec2004[/url]

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.