SirChick Posted November 2, 2007 Share Posted November 2, 2007 Hey guys quick Q, say i have a url like this: <a href="mycarinfo.php?carinfo=';Echo$CarID;Echo'">'; And so the CarID is the variable being passed across how do i get that $CarID value from it .. is it: $CarID = $_GET['carinfo']; ? Quote Link to comment Share on other sites More sharing options...
Dragen Posted November 2, 2007 Share Posted November 2, 2007 Hey guys quick Q, say i have a url like this: <a href="mycarinfo.php?carinfo=';Echo$CarID;Echo'"> And so the CarID is the variable being passed across how do i get that $CarID value from it .. is it: $CarID = $_GET['carinfo']; ? That url makes no sense. but yes, it would be contained within the $_GET['carinfo'] variable Quote Link to comment Share on other sites More sharing options...
SirChick Posted November 2, 2007 Author Share Posted November 2, 2007 why would that url make no sense it would look like this: <a href="mycarinfo.php?carinfo=1"> Quote Link to comment Share on other sites More sharing options...
Foser Posted November 2, 2007 Share Posted November 2, 2007 the one you showed us was: mycarinfo.php?carinfo=';Echo$CarID;Echo no ' or ; can be in the url... and I don't think a dollar sign is a smart thing to do. but the one above this post is correct, but exploitable. Quote Link to comment Share on other sites More sharing options...
Dragen Posted November 2, 2007 Share Posted November 2, 2007 the one you showed us was: mycarinfo.php?carinfo=';Echo$CarID;Echo no ' or ; can be in the url... and I don't think a dollar sign is a smart thing to do. precisely. It's more the random 'Echo' bits that confused me.. but the one above this post is correct, but exploitable. All GET's are exploitable. You just need to put some security checks in place when you read the data from them. Such as is_num($_GET['carinfo']) would ensure that it is a number and contains no letters, spaces symbols etc Quote Link to comment Share on other sites More sharing options...
SirChick Posted November 2, 2007 Author Share Posted November 2, 2007 argh wait ive used GET for letters in other situations on my site should i have not done that ? Quote Link to comment Share on other sites More sharing options...
Dragen Posted November 2, 2007 Share Posted November 2, 2007 no, get can contain just abou any character. I was just giving an example of how to check the variable. Let's say you only wanted $_GET['carinfo'] to be numerical, then you could use something like: if(is_numeric($_GET['carinfo'])){ echo 'it is a number'; }else{ echo 'it is not a number'; } to ensure that it doesn't contain anything but numbers. There are plenty of other security checks you can do, such as querying it against a database to see if it exists.. something like: "SELECT * FROM `cars` WHERE `carinfo` = '" . mysql_real_escape_string($_GET['carinfo']) . "' LIMIT 1"; just an example. Quote Link to comment Share on other sites More sharing options...
SirChick Posted November 2, 2007 Author Share Posted November 2, 2007 I put something like this but say the user edited the url from '1' to a '2' in the number rather than my header kicking in it seems to jsut show a white page of nothingness =/ $CarID = $_GET['carinfo']; $Validation = mysql_query("SELECT * FROM cars WHERE CarID='$CarID' AND UserID={$_SESSION['Current_User']}"); If (mysql_num_rows($Validation) == 0){ Header ("mygarage.php"); }Else{ include("londonpagesinclude.php"); Echo ' success'; } Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted November 2, 2007 Share Posted November 2, 2007 I put something like this but say the user edited the url from '1' to a '2' in the number rather than my header kicking in it seems to jsut show a white page of nothingness =/ $CarID = $_GET['carinfo']; $Validation = mysql_query("SELECT * FROM cars WHERE CarID='$CarID' AND UserID={$_SESSION['Current_User']}"); If (mysql_num_rows($Validation) == 0){ Header ("mygarage.php"); }Else{ include("londonpagesinclude.php"); Echo ' success'; } That's not a problen of GET, it's a problem with the logic you used to build your script. GET, for the very reason you stated, is potentially dangerous because users can change its value in the URL. Since PHP is often used in conjunction with a database, these changes of input could lead to a user (intentionally or not) hijacking your database. Because of that, you need to validate that what you're GETting is legit, and turn away all other invalid inputs. In your example, it seems that you only want to accept a carInfo value of 1. So, you'd do something along the lines of: <?php $carInfo = $_GET['carInfo']; if(is_numeric($carInfo) && carInfo == 1){ //access the database and proceed as normal } else{ //bad input, turn away user header('denied.php'); //access denied site } ?> Quote Link to comment Share on other sites More sharing options...
SirChick Posted November 2, 2007 Author Share Posted November 2, 2007 Get may not be one it could be any numbers... cos it goes by ID the car ID could be anything that is in the table... so to physically hard code 1 would mean all the the others car id's would never work. With this: If url was changed to make Get become "cheeese" then the query below wont work and so it would go to the header so the url change will only change if the car does exist and that the user owns that car... $Validation = mysql_query("SELECT * FROM cars WHERE CarID='$CarID' AND UserID={$_SESSION['Current_User']}"); If the car id that comes from the GET is owned by the user viewing the page then it is perfectly fine to change the url to that number how ever if they did not own the car then the AND UserID would be different and so it would not find the row because the car doesn't belong to Current_User so that was why i had a num rows but it didnt work =/ you get me? Quote Link to comment Share on other sites More sharing options...
Dragen Posted November 2, 2007 Share Posted November 2, 2007 try this: <?php $CarID = $_GET['carinfo']; if(is_numeric($carID)){ $Validation = mysql_query("SELECT * FROM `cars` WHERE `CarID`='mysql_real_escape_string($CarID)' AND UserID={$_SESSION['Current_User']}") or die(mysql_error()); If (mysql_num_rows($Validation) == 0){ Header ("mygarage.php"); echo 'unsuccessfull'; }else{ include("londonpagesinclude.php"); echo ' success'; } }else{ echo 'not numeric'; } ?> Quote Link to comment Share on other sites More sharing options...
SirChick Posted November 2, 2007 Author Share Posted November 2, 2007 shall give it a try now i don't think: Header ("mygarage.php"); echo 'unsuccessfull'; the echo after a header is kinda not going to be needed aint it ? Its not working though it goes the header every time when it shouldn't be. Quote Link to comment Share on other sites More sharing options...
revraz Posted November 2, 2007 Share Posted November 2, 2007 Echo $Validation before the IF statement to see what it contains. Quote Link to comment Share on other sites More sharing options...
SirChick Posted November 2, 2007 Author Share Posted November 2, 2007 Resource id #6 Whats that mean ? Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted November 2, 2007 Share Posted November 2, 2007 Resource id #6 Whats that mean ? That is the result resource from your query. Quote Link to comment Share on other sites More sharing options...
SirChick Posted November 2, 2007 Author Share Posted November 2, 2007 mysql_real_escape_string($CarID) this is what was causing the problem i removed it and it now works Quote Link to comment Share on other sites More sharing options...
revraz Posted November 2, 2007 Share Posted November 2, 2007 By removing that, you open yourself up to sql injections. Try to change the variable before the sql_query like: $carID = mysql_real_escape_string($CarID); echo $carID //just to make sure it looks ok, remove for production if(is_numeric($carID)){ $Validation = mysql_query("SELECT * FROM `cars` WHERE `CarID`='$CarID' AND UserID={$_SESSION['Current_User']}") or die(mysql_error()); Quote Link to comment Share on other sites More sharing options...
SirChick Posted November 3, 2007 Author Share Posted November 3, 2007 ok thankyou Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.