Jump to content

Recommended Posts

I saw a huge post on here one time, about someone who was hacked, and asking for help.  After about 20-30 people on the forum examined his code, they discovered a case switch as a vunerability, I just realized I have used case switch statements(more of as a test), for almost this entire system I have created.  This advertising system, I have most pages with case statements, based on category, sub-category.  posts, and various other thing, with like a switch case statement,a nd in between each case, hundreds of lines of programming.  Is there any vunerabilities I should watch out for, with case switch statements?
Link to comment
https://forums.phpfreaks.com/topic/21657-security-issue-with-case-switch/
Share on other sites

i think the thread you were referring to was the dude who based his includes on a switch with a GET variable. 

The solution was to have a predefined array of what was deemed an acceptable value in the variable, and to check the variable against the array, and only include stuff afterwards.

That is, if it's "that thread" I think you're talking about.
I don't think you will have much to worry about as the two above have pointed out. The important part is where is the information comming from that goes into the switch. Can a user of the webpage alter this information and if the information is altered would this matter to what you are doing.

ie alter as in $_GET, $_POST, $_COOKIE

actually yes they are, but they are post information coming from a get, or post variable.  I have 8 tables
postset1
postset2
...
postset8
and that postset number is set throughout the site, in url's and forms to pass what information along.  Like when they can edit, delete posts, it goes to a page with a case switch statement, deciding which post, userid, and postid, to pull the post from, then it updates it based on the switch on $postset

and yes that was the exact post I was speaking of.

[b]POST MERGED BY WILDTEEN88: Please learn to use the edit button. DO NOT DOUBLE post. EVen to bump your thread too! You only bump your thread when its a a couple of hours old[/b]
You should validate the postset then. Making sure it is of a numeric value by using is_numeric and making sure postset doesnt exceed the number 8, like so:
[code=php:0]if(is_numeric($_GET['postset']) && ($_GET['postset'] <= '8'))
{
    // postset is safe!
}[/code]
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.