[SOLVED] GET function

[SirChick]

Hey guys quick Q,

 

say i have a url like this:

 

<a href="mycarinfo.php?carinfo=';Echo$CarID;Echo'">';

 

 

And so the CarID is the variable being passed across how do i get that $CarID value from it .. is it:

 

$CarID = $_GET['carinfo']; ?

[Dragen]

Hey guys quick Q,

 

say i have a url like this:

 

<a href="mycarinfo.php?carinfo=';Echo$CarID;Echo'">

 

 

And so the CarID is the variable being passed across how do i get that $CarID value from it .. is it:

 

$CarID = $_GET['carinfo']; ?

 

That url makes no sense. but yes, it would be contained within the $_GET['carinfo'] variable

[SirChick]

why would that url make no sense it would look like this:

 

<a href="mycarinfo.php?carinfo=1">

[Foser]

the one you showed us was:

 

mycarinfo.php?carinfo=';Echo$CarID;Echo

 

 

no ' or ; can be in the url... and I don't think a dollar sign is a smart thing to do.  but the one above this post is correct, but exploitable.

[Dragen]

the one you showed us was:

 

mycarinfo.php?carinfo=';Echo$CarID;Echo

 

 

no ' or ; can be in the url... and I don't think a dollar sign is a smart thing to do.

precisely. It's more the random 'Echo' bits that confused me..

 

but the one above this post is correct, but exploitable.

All GET's are exploitable. You just need to put some security checks in place when you read the data from them. Such as

is_num($_GET['carinfo'])

would ensure that it is a number and contains no letters, spaces symbols etc

[SirChick]

argh wait ive used GET for letters in other situations on my site should i have not done that ?

[Dragen]

no, get can contain just abou any character. I was just giving an example of how to check the variable.

Let's say you only wanted $_GET['carinfo'] to be numerical, then you could use something like:

if(is_numeric($_GET['carinfo'])){
    echo 'it is a number';
}else{
    echo 'it is not a number';
}

to ensure that it doesn't contain anything but numbers.

 

There are plenty of other security checks you can do, such as querying it against a database to see if it exists.. something like:

"SELECT * FROM `cars` WHERE `carinfo` = '" . mysql_real_escape_string($_GET['carinfo']) . "' LIMIT 1";

just an example.

[SirChick]

I put something like this but say the user edited the url from '1' to a '2' in the number rather than my header kicking in it seems to jsut show a white page of nothingness =/

 

$CarID = $_GET['carinfo'];


$Validation = mysql_query("SELECT * FROM cars WHERE CarID='$CarID' AND UserID={$_SESSION['Current_User']}");

If (mysql_num_rows($Validation) == 0){
Header ("mygarage.php");
}Else{
include("londonpagesinclude.php");
Echo ' success';
}

[KevinM1]

I put something like this but say the user edited the url from '1' to a '2' in the number rather than my header kicking in it seems to jsut show a white page of nothingness =/

 

$CarID = $_GET['carinfo'];


$Validation = mysql_query("SELECT * FROM cars WHERE CarID='$CarID' AND UserID={$_SESSION['Current_User']}");

If (mysql_num_rows($Validation) == 0){
Header ("mygarage.php");
}Else{
include("londonpagesinclude.php");
Echo ' success';
}

 

That's not a problen of GET, it's a problem with the logic you used to build your script.  GET, for the very reason you stated, is potentially dangerous because users can change its value in the URL.  Since PHP is often used in conjunction with a database, these changes of input could lead to a user (intentionally or not) hijacking your database.  Because of that, you need to validate that what you're GETting is legit, and turn away all other invalid inputs.

 

In your example, it seems that you only want to accept a carInfo value of 1.  So, you'd do something along the lines of:

<?php

$carInfo = $_GET['carInfo'];

if(is_numeric($carInfo) && carInfo == 1){
  //access the database and proceed as normal
}
else{
   //bad input, turn away user
   header('denied.php'); //access denied site
}

?>

[SirChick]

Get may not be one it could be any numbers...

 

cos it goes by ID the car ID could be anything that is in the table...

 

so to physically hard code 1 would mean all the the others car id's would never work.

 

With this:

If url was changed to make Get become "cheeese" then the query below wont work and so it would go to the header so the url change will only change if the car does exist and that the user owns that car...

 

$Validation = mysql_query("SELECT * FROM cars WHERE CarID='$CarID' AND UserID={$_SESSION['Current_User']}");

 

If the car id that comes from the GET is owned by the user viewing the page then it is perfectly fine to change the url to that number how ever if they did not own the car then the AND UserID would be different and so it would not find the row because the car doesn't belong to Current_User so that was why i had a num rows but it didnt work =/

 

you get me?

[Dragen]

try this:

<?php
$CarID = $_GET['carinfo'];


if(is_numeric($carID)){
$Validation = mysql_query("SELECT * FROM `cars` WHERE `CarID`='mysql_real_escape_string($CarID)' AND UserID={$_SESSION['Current_User']}") or die(mysql_error());

If (mysql_num_rows($Validation) == 0){
	Header ("mygarage.php");
	echo 'unsuccessfull';
}else{
	include("londonpagesinclude.php");
	echo ' success';
}
}else{
echo 'not numeric';
}
?>

[SirChick]

shall give it a try now

 

i don't think:

 

Header ("mygarage.php");

echo 'unsuccessfull';

 

the echo after a header is kinda not going to be needed aint it ?

 

 

Its not working though it goes the header every time when it shouldn't be.

[revraz]

Echo $Validation before the IF statement to see what it contains.

[SirChick]

Resource id #6

 

Whats that mean ?

[wildteen88]

Resource id #6

 

Whats that mean ?

That is the result resource from your query.

[SirChick]

mysql_real_escape_string($CarID)

 

this is what was causing the problem i removed it and it now works

[revraz]

By removing that, you open yourself up to sql injections.

 

Try to change the variable before the sql_query like:

$carID = mysql_real_escape_string($CarID);

echo $carID //just to make sure it looks ok, remove for production

if(is_numeric($carID)){
$Validation = mysql_query("SELECT * FROM `cars` WHERE `CarID`='$CarID' AND UserID={$_SESSION['Current_User']}") or die(mysql_error());

 

[SirChick]

ok thankyou