Jump to content

Archived

This topic is now archived and is closed to further replies.

Chat

worried about security with $_GET

Recommended Posts

hi, i've just turned created my first truely dynamic site - my site has this code: [code]$blaa = array_key_exists('blaa', $_GET) ? $_GET['blaa'] : "blee" ; echo '$blaa' ;[/code]

...you can type ?blaa=abc at the end of a url to change the echoed word in the site to abc...etc

i'm very worried about security though. i tried injecting some dodgy code into the url and found the quotes were automatically backslashed somehow, but my injection skills are not as good as some hackers. should i be using some functions to strip bad input? if so, what exactly should i use?

help, please!  :o

Share this post


Link to post
Share on other sites
If you are only echoing, there's no problem. But if you are using these variables with SQL etc', you should read about SQL injections and how to prevent them.

Orio.

Share this post


Link to post
Share on other sites
[color=red]NEVER, EVER trust data that is coming into your site![/color]. Get data is an ideal target for Cross Site Forgery Reqests and other hacks.

Whether it is a GET or a POST or a file: never trust it! Always know what data you expect, the data type and format, if possible: the length and, at least, always start with an htmlentities().

Ronald  ;D

Share this post


Link to post
Share on other sites
thanks guys - so i'll look into htmlentities().

any other things i should be using? even better, an example?  >:(

Share this post


Link to post
Share on other sites
htmlentities in only the bare minimum.
It is difficult to give examples, because it all depends on what you expect in your $_GET.
E.g.
[list]
[*]do you expect a number with a minimum/maximum value? Check numeric content and values.
[*]do you expect a string of 2 characters? Check alfa chars length 2
[*]do you expect a string of with predefined content? Check content.
[*]do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings
[*]etc.
[/list]

Ronald  8)

Share this post


Link to post
Share on other sites
"do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings"

yes, i expect strings, sometimes max of 30 characters, sometimes max of 15, including alphanumerics and other characters, maybe including quotes...

can anyone recommend a proper validation class or anything else?

thanks for help
;)

Share this post


Link to post
Share on other sites
i read somewhere that strip_tags was not as safe as a newer alternative. i can't remember what it was or where i heard it.

would you say strip_tags($_GET['value']) in combination with htmlentities($_GET['value']) is safe enough? if so, which should i use first?

Share this post


Link to post
Share on other sites
A very good input filtering class is at www.phpclasses.org at link
[url=http://www.phpclasses.org/browse/package/2189.html]http://www.phpclasses.org/browse/package/2189.html[/url]

Short description from website: [quote]This class can filter input of stray or malicious PHP, Javascript or HTML tags and to prevent cross-site scripting (XSS) attacks. It should be used to filter input supplied by the user, such as an HTML code entered in form fields.

I have tried to make this class as easy as possible to use. You have control over the filter process unlike other alternatives, and can input a string or an entire array to be cleaned (such as $_POST).

** SQL Injection feature has been added.[/quote]

I have been using this class for some time now, and it is good.

Ronald  8)

Share this post


Link to post
Share on other sites
seems very interesting, but are there no inbuilt php functions to take care of things, without having to include a long script by some unknown author?

Share this post


Link to post
Share on other sites
Security checking is just a lot more than doing a strip_tags! If you don't want to use proven classes, then at least read some articles by authorities on PHP security, like Chris Shiflett. See [url=http://shiflett.org/articles/security-corner-dec2004]http://shiflett.org/articles/security-corner-dec2004[/url]

Share this post


Link to post
Share on other sites
this (official?) link says i should not use strip_tags! it's very confusing. where are all the straight forward examples?

http://talks.php.net/show/vrana-security/2

Share this post


Link to post
Share on other sites
I don't know about straight examples, but I suggest book "Essential PHP Security" by (you got it) Chris Shiflett and published by O'Reilly.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.