Reaper0167 Posted June 25, 2009 Share Posted June 25, 2009 I found this little snippet online. Is this a safe way to keep others from messing with my url variables? <?php $allow = array('pageid', 'sectionid', 'articleid'); foreach($_GET as $key => $value) { $valid = false; foreach($allow as $key_allow => $value_allow) { if($key==$value_allow) { $valid = true; } } if($valid==false) { header('location:errorpage.php'); exit(); } } ?> Quote Link to comment Share on other sites More sharing options...
Alex Posted June 25, 2009 Share Posted June 25, 2009 Yup, it makes sure that the values for the $_GET array are in your array of valid values. Quote Link to comment Share on other sites More sharing options...
.josh Posted June 25, 2009 Share Posted June 25, 2009 That's fine, yes. It's called a whitelist. But, you can just make use of in_array to make that more efficient and less long-winded. For one thing, not really sure why you are looping through the $_GET array, as you probably are only passing and using just one, to signify some page id, right? So just refer to it explicitly instead of using a whole foreach loop. Then you can get rid of the nested foreach loop with that in_array so overall you'd just have this: $allow = array('pageid', 'sectionid', 'articleid'); if (!in_array($_GET['variable'],$allow)) { header('location:errorpage.php'); exit(); } It's in essence the same principle of whitelisting, just written more efficiently. Quote Link to comment Share on other sites More sharing options...
Reaper0167 Posted June 25, 2009 Author Share Posted June 25, 2009 So by doing something along these lines, I really shouldn't worry too much about hackers coming in to change things up with the GET vars? I'm not into the PHP hacking stuff, but couldn't someone still change something, or if they were up to something, would there attack script still see that the only variable that were allowed were the ones in the array? Quote Link to comment Share on other sites More sharing options...
.josh Posted June 25, 2009 Share Posted June 25, 2009 someone can change your GET vars to whatever they want but if the value is not in the whitelist, it's invalid, and that's all there is to it. But it obviously depends on what kind of values you are expecting as to the effectiveness of a whitelist. It is not really efficient or even possible to make an array of "allowed" values if for instance the value can be a number. So you have to just validate it, like anything else. So in other words, a whitelist is a very effective way to validate some values/situations, but it's just one thing, and it really depends on the situation. Quote Link to comment Share on other sites More sharing options...
Reaper0167 Posted June 25, 2009 Author Share Posted June 25, 2009 Well, one page grabs the id number of a certain row in the database with $_GET, so that would be a number, and there could be hundreds, maybe thousands of numbers. What would you suggest for a situation like this? Then the oher would be that I use $_GET to retrieve a url variable. And that url could always be different. Quote Link to comment Share on other sites More sharing options...
.josh Posted June 25, 2009 Share Posted June 25, 2009 // example 1 if (!ctype_digit($_GET['variable'])) { // not a number } // example 2 if (!preg_match('~^[0-9]+$~',$_GET['variable'])) { // not a number } // example 3 $id = (int) $_GET['variable']; Quote Link to comment Share on other sites More sharing options...
Reaper0167 Posted June 25, 2009 Author Share Posted June 25, 2009 I don't want to ask too many questions, but in the examples, your saying that if it is not a digit, then give an error? Quote Link to comment Share on other sites More sharing options...
.josh Posted June 25, 2009 Share Posted June 25, 2009 yes. That's what you want, right? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.