Jump to content

Recommended Posts

My website -- a simple online store -- uses values passed by the GET method for navigation.  So, there is just one script that shows every sub-category of merchandise, with each category being passed along as the GET value in the URL.  For security reasons, I've created a sort of whitelist (as opposed to a blacklist) of approved values.  My function is basically this (values changed to protect the security of my site):

<?php

function isSafe($getInfo){
   if(preg_match("/^(desktops)|(laptops)|(accessories)$/i", $getInfo)){
      return TRUE;
   }

   else{
      return FALSE;
   }
}

?>

 

Unfortunately, I just found out through testing something else that this isn't as safe as I'd like it to be.  In my case, I found out that something like 'gaming_accessories' is treated as if it was just 'accessories', so the script was able to execute, even though it returned no values for that category because the category is empty.  Any ideas on how I can have strict enforcement of my category values?

Link to comment
https://forums.phpfreaks.com/topic/42375-filtering-get-values/
Share on other sites

Unfortunately, I just found out through testing something else that this isn't as safe as I'd like it to be.  In my case, I found out that something like 'gaming_accessories' is treated as if it was just 'accessories'

 

I've seen some shopping cart functions that do like to allow for parent and sub categories to be passed as one argument, simply separated by an underscore for separation later. The issue then arises that you may need to run some checks before the shopping cart script ever begins parsing the URL itself. Something as simple as setting up an array of all possible value or a switch statement should suffice for exact matching rather than having to break out the regexp matching in this case.

Link to comment
https://forums.phpfreaks.com/topic/42375-filtering-get-values/#findComment-205556
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.