Chat Posted August 2, 2006 Share Posted August 2, 2006 hi, i've just turned created my first truely dynamic site - my site has this code: [code]$blaa = array_key_exists('blaa', $_GET) ? $_GET['blaa'] : "blee" ; echo '$blaa' ;[/code]...you can type ?blaa=abc at the end of a url to change the echoed word in the site to abc...etci'm very worried about security though. i tried injecting some dodgy code into the url and found the quotes were automatically backslashed somehow, but my injection skills are not as good as some hackers. should i be using some functions to strip bad input? if so, what exactly should i use? help, please! :o Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/ Share on other sites More sharing options...
Orio Posted August 2, 2006 Share Posted August 2, 2006 If you are only echoing, there's no problem. But if you are using these variables with SQL etc', you should read about SQL injections and how to prevent them.Orio. Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-67769 Share on other sites More sharing options...
ronverdonk Posted August 2, 2006 Share Posted August 2, 2006 [color=red]NEVER, EVER trust data that is coming into your site![/color]. Get data is an ideal target for Cross Site Forgery Reqests and other hacks.Whether it is a GET or a POST or a file: never trust it! Always know what data you expect, the data type and format, if possible: the length and, at least, always start with an htmlentities().Ronald ;D Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-67782 Share on other sites More sharing options...
Chat Posted August 2, 2006 Author Share Posted August 2, 2006 thanks guys - so i'll look into htmlentities().any other things i should be using? even better, an example? >:( Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-67868 Share on other sites More sharing options...
ronverdonk Posted August 2, 2006 Share Posted August 2, 2006 htmlentities in only the bare minimum.It is difficult to give examples, because it all depends on what you expect in your $_GET.E.g. [list][*]do you expect a number with a minimum/maximum value? Check numeric content and values.[*]do you expect a string of 2 characters? Check alfa chars length 2[*]do you expect a string of with predefined content? Check content.[*]do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings[*]etc.[/list] Ronald 8) Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-67880 Share on other sites More sharing options...
Chat Posted August 3, 2006 Author Share Posted August 3, 2006 "do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings"yes, i expect strings, sometimes max of 30 characters, sometimes max of 15, including alphanumerics and other characters, maybe including quotes... can anyone recommend a proper validation class or anything else?thanks for help ;) Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-68406 Share on other sites More sharing options...
PakiGangsta Posted August 3, 2006 Share Posted August 3, 2006 you can strip_tags($_GET['value']); Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-68408 Share on other sites More sharing options...
Chat Posted August 3, 2006 Author Share Posted August 3, 2006 i read somewhere that strip_tags was not as safe as a newer alternative. i can't remember what it was or where i heard it.would you say strip_tags($_GET['value']) in combination with htmlentities($_GET['value']) is safe enough? if so, which should i use first? Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-68411 Share on other sites More sharing options...
ronverdonk Posted August 3, 2006 Share Posted August 3, 2006 A very good input filtering class is at www.phpclasses.org at link [url=http://www.phpclasses.org/browse/package/2189.html]http://www.phpclasses.org/browse/package/2189.html[/url]Short description from website: [quote]This class can filter input of stray or malicious PHP, Javascript or HTML tags and to prevent cross-site scripting (XSS) attacks. It should be used to filter input supplied by the user, such as an HTML code entered in form fields.I have tried to make this class as easy as possible to use. You have control over the filter process unlike other alternatives, and can input a string or an entire array to be cleaned (such as $_POST).** SQL Injection feature has been added.[/quote]I have been using this class for some time now, and it is good.Ronald 8) Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-68612 Share on other sites More sharing options...
Chat Posted August 5, 2006 Author Share Posted August 5, 2006 seems very interesting, but are there no inbuilt php functions to take care of things, without having to include a long script by some unknown author? Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-69674 Share on other sites More sharing options...
ronverdonk Posted August 5, 2006 Share Posted August 5, 2006 Security checking is just a lot more than doing a strip_tags! If you don't want to use proven classes, then at least read some articles by authorities on PHP security, like Chris Shiflett. See [url=http://shiflett.org/articles/security-corner-dec2004]http://shiflett.org/articles/security-corner-dec2004[/url] Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-69678 Share on other sites More sharing options...
Chat Posted August 5, 2006 Author Share Posted August 5, 2006 this (official?) link says i should not use strip_tags! it's very confusing. where are all the straight forward examples?http://talks.php.net/show/vrana-security/2 Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-69685 Share on other sites More sharing options...
ronverdonk Posted August 5, 2006 Share Posted August 5, 2006 I don't know about straight examples, but I suggest book "Essential PHP Security" by (you got it) Chris Shiflett and published by O'Reilly. Link to comment https://forums.phpfreaks.com/topic/16316-worried-about-security-with-_get/#findComment-69688 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.