Is this code a security issue

[king.oslo]

Is this code dangerous?

 

Can the user inject dagerous code in the $_GET variable or anything else?

 

<?php

header( 'Location: http://www.example.com/' . $_GET['filename'] );

?>

 

Thank you for your time,

Marius

[premiso]

They can inject code, as far as it being something dangerous it depends on example.com. If their website does not have their get-data filtered. Sure they can inject code and now it looks like your site is trying to exploit the example.com, so they basically get a free probe using your site.

 

I would still filter the GET data just for that reason above, and really it is not too much of an extra step to run strip_tags or use regex to replace certain items. But think about what type of data is going to be in that get getting passed through and filter it to only allow that type (IE if it should be all letters or numbers make sure it is).

[king.oslo]

Thanks,

 

If I strip all non-word characters from $_GET['filename'], would that make it harmless?

 

Thanks,

Marius

[mrMarcus]

if you can strip out all special characters, html tags, etc., then yes, it should be fine.

[king.oslo]

So this should be fine?

 

<?php
$filename = $_GET['filename'];
$filename = preg_replace('~[^0-9a-zA-Z-_]~', '', $filename);
header( 'Location: http://www.example.com/' . $filename );

?>

[mrMarcus]

ya, that looks pretty good.