Jump to content


Photo

worried about security with $_GET


  • Please log in to reply
12 replies to this topic

#1 Chat

Chat
  • Members
  • PipPip
  • Member
  • 28 posts
  • LocationBirmingham (UK)

Posted 02 August 2006 - 12:35 PM

hi, i've just turned created my first truely dynamic site - my site has this code:
$blaa = array_key_exists('blaa', $_GET) ? $_GET['blaa'] : "blee" ; echo '$blaa' ;

...you can type ?blaa=abc at the end of a url to change the echoed word in the site to abc...etc

i'm very worried about security though. i tried injecting some dodgy code into the url and found the quotes were automatically backslashed somehow, but my injection skills are not as good as some hackers. should i be using some functions to strip bad input? if so, what exactly should i use?

help, please!  :o

#2 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 02 August 2006 - 12:50 PM

If you are only echoing, there's no problem. But if you are using these variables with SQL etc', you should read about SQL injections and how to prevent them.

Orio.
Think you're smarty?

(Gone until 20 to November)

#3 ronverdonk

ronverdonk
  • Members
  • PipPipPip
  • Advanced Member
  • 277 posts
  • LocationNetherlands

Posted 02 August 2006 - 01:38 PM

NEVER, EVER trust data that is coming into your site!. Get data is an ideal target for Cross Site Forgery Reqests and other hacks.

Whether it is a GET or a POST or a file: never trust it! Always know what data you expect, the data type and format, if possible: the length and, at least, always start with an htmlentities().

Ronald  ;D
RTFM is an almost extinct art form, it should be subsidized.

#4 Chat

Chat
  • Members
  • PipPip
  • Member
  • 28 posts
  • LocationBirmingham (UK)

Posted 02 August 2006 - 03:26 PM

thanks guys - so i'll look into htmlentities().

any other things i should be using? even better, an example?  >:(

#5 ronverdonk

ronverdonk
  • Members
  • PipPipPip
  • Advanced Member
  • 277 posts
  • LocationNetherlands

Posted 02 August 2006 - 03:49 PM

htmlentities in only the bare minimum.
It is difficult to give examples, because it all depends on what you expect in your $_GET.
E.g.
  • do you expect a number with a minimum/maximum value? Check numeric content and values.
  • do you expect a string of 2 characters? Check alfa chars length 2
  • do you expect a string of with predefined content? Check content.
  • do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings
  • etc.

Ronald  8)
RTFM is an almost extinct art form, it should be subsidized.

#6 Chat

Chat
  • Members
  • PipPip
  • Member
  • 28 posts
  • LocationBirmingham (UK)

Posted 03 August 2006 - 09:33 AM

"do you expect a string of undermined length. Use a proper validation class that removes all html, javascript and XSS strings"

yes, i expect strings, sometimes max of 30 characters, sometimes max of 15, including alphanumerics and other characters, maybe including quotes...

can anyone recommend a proper validation class or anything else?

thanks for help
;)

#7 PakiGangsta

PakiGangsta
  • Members
  • PipPip
  • Member
  • 28 posts

Posted 03 August 2006 - 09:34 AM

you can strip_tags($_GET['value']);
The one and only KingBowser :).

#8 Chat

Chat
  • Members
  • PipPip
  • Member
  • 28 posts
  • LocationBirmingham (UK)

Posted 03 August 2006 - 09:47 AM

i read somewhere that strip_tags was not as safe as a newer alternative. i can't remember what it was or where i heard it.

would you say strip_tags($_GET['value']) in combination with htmlentities($_GET['value']) is safe enough? if so, which should i use first?

#9 ronverdonk

ronverdonk
  • Members
  • PipPipPip
  • Advanced Member
  • 277 posts
  • LocationNetherlands

Posted 03 August 2006 - 03:46 PM

A very good input filtering class is at www.phpclasses.org at link
http://www.phpclasse...ckage/2189.html

Short description from website:

This class can filter input of stray or malicious PHP, Javascript or HTML tags and to prevent cross-site scripting (XSS) attacks. It should be used to filter input supplied by the user, such as an HTML code entered in form fields.

I have tried to make this class as easy as possible to use. You have control over the filter process unlike other alternatives, and can input a string or an entire array to be cleaned (such as $_POST).

** SQL Injection feature has been added.


I have been using this class for some time now, and it is good.

Ronald  8)


RTFM is an almost extinct art form, it should be subsidized.

#10 Chat

Chat
  • Members
  • PipPip
  • Member
  • 28 posts
  • LocationBirmingham (UK)

Posted 05 August 2006 - 08:44 AM

seems very interesting, but are there no inbuilt php functions to take care of things, without having to include a long script by some unknown author?

#11 ronverdonk

ronverdonk
  • Members
  • PipPipPip
  • Advanced Member
  • 277 posts
  • LocationNetherlands

Posted 05 August 2006 - 09:05 AM

Security checking is just a lot more than doing a strip_tags! If you don't want to use proven classes, then at least read some articles by authorities on PHP security, like Chris Shiflett. See http://shiflett.org/...-corner-dec2004

RTFM is an almost extinct art form, it should be subsidized.

#12 Chat

Chat
  • Members
  • PipPip
  • Member
  • 28 posts
  • LocationBirmingham (UK)

Posted 05 August 2006 - 09:20 AM

this (official?) link says i should not use strip_tags! it's very confusing. where are all the straight forward examples?

http://talks.php.net...rana-security/2

#13 ronverdonk

ronverdonk
  • Members
  • PipPipPip
  • Advanced Member
  • 277 posts
  • LocationNetherlands

Posted 05 August 2006 - 09:27 AM

I don't know about straight examples, but I suggest book "Essential PHP Security" by (you got it) Chris Shiflett and published by O'Reilly.

RTFM is an almost extinct art form, it should be subsidized.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users