cs.punk Posted July 8, 2009 Share Posted July 8, 2009 Am I sill vunreble if I only allow numbers in the gets commands?.. I made it so that if it's not a numerical numbers -> redirect the person to the index page... Quote Link to comment Share on other sites More sharing options...
Philip Posted July 8, 2009 Share Posted July 8, 2009 You're fine as long as you double check to make sure it is just a number, and nothing more. Quote Link to comment Share on other sites More sharing options...
ignace Posted July 8, 2009 Share Posted July 8, 2009 I made it so that if it's not a numerical numbers -> redirect the person to the index page... I don't think you are fully aware of what XSS is (http://en.wikipedia.org/wiki/Cross-site_scripting) plus there are many more vulnerabilities to which you have to protect not only your scripts but even your server(s) Quote Link to comment Share on other sites More sharing options...
cs.punk Posted July 8, 2009 Author Share Posted July 8, 2009 OMG! I am so rude! I asked the question like a moron! I was busy and typing it with my phone... So sorry... To be more specific, what I have is this: filterget.php <?php include "mysqlcon.php"; $con = mysqli_connect("$dbhost", "$dbuser", "$dbpass") or die ("Could not connect to database"); if (isset($_GET)) {foreach($_GET as $var => $value ) {$var = mysqli_real_escape_string($con, strip_tags(trim($value))); //Why I do the 'mysqli_real_escape_string' is really stupid and useless //But I feel it makes the code 'more secure' although it does not...though maybe. if (is_numeric($var)) { } else {header("Location: /index.php"); } } } else {header("Location: /index.php"); } ?> I include this page where ever I need to recieve $_GET varibles.... I made it so that if it's not a numerical numbers -> redirect the person to the index page... I don't think you are fully aware of what XSS is (http://en.wikipedia.org/wiki/Cross-site_scripting) plus there are many more vulnerabilities to which you have to protect not only your scripts but even your server(s) Uhm I am aware that it takes a 'script' from another domain/source... And uhm, I have strip_tags();on all input I recieve mysqli_real_escape; Aswell on all input I recieve I only allow .jpegs to be uploaded... Uhm how more secure can you be? Quote Link to comment Share on other sites More sharing options...
ignace Posted July 9, 2009 Share Posted July 9, 2009 Uhm I am aware that it takes a 'script' from another domain/source... That is correct and this is submitted to your website through a form which is passed through POST stored in the database and viewed by unknown users (if these users are authenticated then it is possible to steal their session to impersonate them, even administratives). Ofcourse if you don't have any form on your website (which is unlikely) you should be safe. So cleaning GET only won't suffice. You don't want visitors to know this.. Use a combination of set_error_handler() and trigger_error() or error_log() These are influenced by the display_errors directive, die() is not. or die ("Could not connect to database"); performing strip_tags() on globals will completly disallow submitting html however it is still possible (i think) if using encoding. This is an example of no proper programming: if (is_numeric($var)) { } else { header("Location: /index.php"); } For readability modify your code to: if (!isset($_GET)) { header("Location: /index.php"); } // no else! continue execution foreach ($_GET .. Quote Link to comment Share on other sites More sharing options...
cs.punk Posted July 11, 2009 Author Share Posted July 11, 2009 performing strip_tags() on globals will completly disallow submitting html however it is still possible (i think) if using encoding. Why would I want HTML in my $_GETS?... example.com/posts/post=<h1>This is stupid</h1> This is an example of no proper programming: if (is_numeric($var)) { } else {header("Location: /index.php"); } No proper programming? The only thing I see fit for passing through GET is IDs of somesort. So the following code, included to a page, will check the value of the GET, if it is something funny like :www.badsite.com/xssattack.php, it will reject it . Quote Link to comment Share on other sites More sharing options...
ignace Posted July 11, 2009 Share Posted July 11, 2009 if (is_numeric($var)) { } else {header("Location: /index.php"); } Yes this is anything but proper programming as this can be better written as: if (!is_numeric($var)) { header('Location: /index.php'); } Quote Link to comment Share on other sites More sharing options...
thebadbad Posted July 11, 2009 Share Posted July 11, 2009 On a side note, you should use ctype_digit() instead of is_numeric(), when checking for numbers only (digits). is_numeric() also allows values like +0123.45e6 and hexadecimal notation. Quote Link to comment Share on other sites More sharing options...
cunoodle2 Posted July 11, 2009 Share Posted July 11, 2009 I would use "intval()" of all values because even if they enter a string of some sort the inval of that is 1. Be carefull though because the intval of NULL is in fact zero. Quote Link to comment Share on other sites More sharing options...
ignace Posted July 11, 2009 Share Posted July 11, 2009 I would use "intval()" of all values because even if they enter a string of some sort the inval of that is 1. Be carefull though because the intval of NULL is in fact zero. That is because NULL points to the the memory address 0x00000000 which if translated from hex to integer is 0 and for boolean is false, .. Or atleast something like that, I can't remember the lessons that well Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.