Ninjakreborn Posted September 22, 2006 Share Posted September 22, 2006 I saw a huge post on here one time, about someone who was hacked, and asking for help. After about 20-30 people on the forum examined his code, they discovered a case switch as a vunerability, I just realized I have used case switch statements(more of as a test), for almost this entire system I have created. This advertising system, I have most pages with case statements, based on category, sub-category. posts, and various other thing, with like a switch case statement,a nd in between each case, hundreds of lines of programming. Is there any vunerabilities I should watch out for, with case switch statements? Quote Link to comment https://forums.phpfreaks.com/topic/21657-security-issue-with-case-switch/ Share on other sites More sharing options...
.josh Posted September 22, 2006 Share Posted September 22, 2006 i think the thread you were referring to was the dude who based his includes on a switch with a GET variable. The solution was to have a predefined array of what was deemed an acceptable value in the variable, and to check the variable against the array, and only include stuff afterwards.That is, if it's "that thread" I think you're talking about. Quote Link to comment https://forums.phpfreaks.com/topic/21657-security-issue-with-case-switch/#findComment-96689 Share on other sites More sharing options...
trq Posted September 22, 2006 Share Posted September 22, 2006 There is no inherit issue with a switch... after all, its just a mechanism for making a descision. However, the outcome of those decisions could be considered a security issue if your not sure what you doing. Quote Link to comment https://forums.phpfreaks.com/topic/21657-security-issue-with-case-switch/#findComment-96690 Share on other sites More sharing options...
steveclondon Posted September 22, 2006 Share Posted September 22, 2006 I don't think you will have much to worry about as the two above have pointed out. The important part is where is the information comming from that goes into the switch. Can a user of the webpage alter this information and if the information is altered would this matter to what you are doing. ie alter as in $_GET, $_POST, $_COOKIE Quote Link to comment https://forums.phpfreaks.com/topic/21657-security-issue-with-case-switch/#findComment-96693 Share on other sites More sharing options...
Ninjakreborn Posted September 22, 2006 Author Share Posted September 22, 2006 actually yes they are, but they are post information coming from a get, or post variable. I have 8 tablespostset1postset2...postset8and that postset number is set throughout the site, in url's and forms to pass what information along. Like when they can edit, delete posts, it goes to a page with a case switch statement, deciding which post, userid, and postid, to pull the post from, then it updates it based on the switch on $postsetand yes that was the exact post I was speaking of.[b]POST MERGED BY WILDTEEN88: Please learn to use the edit button. DO NOT DOUBLE post. EVen to bump your thread too! You only bump your thread when its a a couple of hours old[/b] Quote Link to comment https://forums.phpfreaks.com/topic/21657-security-issue-with-case-switch/#findComment-96706 Share on other sites More sharing options...
wildteen88 Posted September 22, 2006 Share Posted September 22, 2006 You should validate the postset then. Making sure it is of a numeric value by using is_numeric and making sure postset doesnt exceed the number 8, like so:[code=php:0]if(is_numeric($_GET['postset']) && ($_GET['postset'] <= '8')){ // postset is safe!}[/code] Quote Link to comment https://forums.phpfreaks.com/topic/21657-security-issue-with-case-switch/#findComment-96829 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.