Jump to content

worried about security with $_GET


Chat

Recommended Posts

hi, i've just turned created my first truely dynamic site - my site has this code: [code]$blaa = array_key_exists('blaa', $_GET) ? $_GET['blaa'] : "blee" ; echo '$blaa' ;[/code]

...you can type ?blaa=abc at the end of a url to change the echoed word in the site to abc...etc

i'm very worried about security though. i tried injecting some dodgy code into the url and found the quotes were automatically backslashed somehow, but my injection skills are not as good as some hackers. should i be using some functions to strip bad input? if so, what exactly should i use?

help, please!  :o
Link to comment
Share on other sites

[color=red]NEVER, EVER trust data that is coming into your site![/color]. Get data is an ideal target for Cross Site Forgery Reqests and other hacks.

Whether it is a GET or a POST or a file: never trust it! Always know what data you expect, the data type and format, if possible: the length and, at least, always start with an htmlentities().

Ronald  ;D
Link to comment
Share on other sites

htmlentities in only the bare minimum.
It is difficult to give examples, because it all depends on what you expect in your $_GET.
E.g.
[list]
[*]do you expect a number with a minimum/maximum value? Check numeric content and values.
[*]do you expect a string of 2 characters? Check alfa chars length 2
[*]do you expect a string of with predefined content? Check content.
[*]do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings
[*]etc.
[/list]

Ronald  8)
Link to comment
Share on other sites

"do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings"

yes, i expect strings, sometimes max of 30 characters, sometimes max of 15, including alphanumerics and other characters, maybe including quotes...

can anyone recommend a proper validation class or anything else?

thanks for help
;)
Link to comment
Share on other sites

i read somewhere that strip_tags was not as safe as a newer alternative. i can't remember what it was or where i heard it.

would you say strip_tags($_GET['value']) in combination with htmlentities($_GET['value']) is safe enough? if so, which should i use first?
Link to comment
Share on other sites

A very good input filtering class is at www.phpclasses.org at link
[url=http://www.phpclasses.org/browse/package/2189.html]http://www.phpclasses.org/browse/package/2189.html[/url]

Short description from website: [quote]This class can filter input of stray or malicious PHP, Javascript or HTML tags and to prevent cross-site scripting (XSS) attacks. It should be used to filter input supplied by the user, such as an HTML code entered in form fields.

I have tried to make this class as easy as possible to use. You have control over the filter process unlike other alternatives, and can input a string or an entire array to be cleaned (such as $_POST).

** SQL Injection feature has been added.[/quote]

I have been using this class for some time now, and it is good.

Ronald  8)

Link to comment
Share on other sites

Security checking is just a lot more than doing a strip_tags! If you don't want to use proven classes, then at least read some articles by authorities on PHP security, like Chris Shiflett. See [url=http://shiflett.org/articles/security-corner-dec2004]http://shiflett.org/articles/security-corner-dec2004[/url]
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.