KevinM1 Posted March 12, 2007 Share Posted March 12, 2007 My website -- a simple online store -- uses values passed by the GET method for navigation. So, there is just one script that shows every sub-category of merchandise, with each category being passed along as the GET value in the URL. For security reasons, I've created a sort of whitelist (as opposed to a blacklist) of approved values. My function is basically this (values changed to protect the security of my site): <?php function isSafe($getInfo){ if(preg_match("/^(desktops)|(laptops)|(accessories)$/i", $getInfo)){ return TRUE; } else{ return FALSE; } } ?> Unfortunately, I just found out through testing something else that this isn't as safe as I'd like it to be. In my case, I found out that something like 'gaming_accessories' is treated as if it was just 'accessories', so the script was able to execute, even though it returned no values for that category because the category is empty. Any ideas on how I can have strict enforcement of my category values? Quote Link to comment https://forums.phpfreaks.com/topic/42375-filtering-get-values/ Share on other sites More sharing options...
obsidian Posted March 12, 2007 Share Posted March 12, 2007 Unfortunately, I just found out through testing something else that this isn't as safe as I'd like it to be. In my case, I found out that something like 'gaming_accessories' is treated as if it was just 'accessories' I've seen some shopping cart functions that do like to allow for parent and sub categories to be passed as one argument, simply separated by an underscore for separation later. The issue then arises that you may need to run some checks before the shopping cart script ever begins parsing the URL itself. Something as simple as setting up an array of all possible value or a switch statement should suffice for exact matching rather than having to break out the regexp matching in this case. Quote Link to comment https://forums.phpfreaks.com/topic/42375-filtering-get-values/#findComment-205556 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.