Jump to content

checkdate() fooled by ;

rubing

By rubing
in PHP Coding Help

 Share

Recommended Posts

rubing Advanced Member

rubing

Posted
Posted

I am trying to use checkdate() to make sure the user entered a valid date instead of something malicious in the url.  In the url i have the _GET variable:

year='user-selected date'

 

in my php script i have a checkdate() function, which seems to be doing its job, HOWEVER

 

if i place a semicolon at the end of the year in the url, it sends me to a page with a wrong date of DEC 31st.  how do i filter this potenially malicious input?  how is checkdate() being overriden?

Link to comment
Share on other sites
obsidian Member

obsidian

Posted
Posted

You may need to share some code with us. To use checkdate(), you are required to provide a month, day and year. If the user is simply providing a year, you could get by with a much simpler check to see that their provided year contains only digits (or whatever). Then, you can build your dates and possibly use strtotime() for an easier comparison depending on what you are trying to do.

Link to comment
Share on other sites
rubing Advanced Member

rubing

Posted
  • Author
Posted

I know i can validate this input with a regex, however am confused why checkdate() wouldn't work here.  Basically a user clicks on a link that uses $_GET in order to send the date.  Here is my code:  (again it works fine except when I attempt to hack the URL by inserting a semicolon in certain places in the year variable)

 

$dt=$_GET['year'];
$arr=split("-",$dt); // splitting the array
$yy=$arr[0]; // first element of the array is year
$mm=$arr[1]; // second element is month
$dd=$arr[2]; // third element is date
If(!checkdate($mm,$dd,$yy)){
echo "invalid date";
exit;
}

Link to comment
Share on other sites
obsidian Member

obsidian

Posted
Posted

Hard to say why checkdate allows that, but a much easier way to do what you are attempting is as follows. Now, this is assuming, based on your current code, that the year is in YYYY-MM-DD format (or any other human readable format, for that matter):

<?php
$date = isset($_GET['year']) ? $_GET['year'] : NULL; // default to null
if (FALSE == ($ts = strtotime($date)))
{
  // Invalid date provided
}
else
{
  // Good to go!
}
?>

Link to comment
Share on other sites
rubing Advanced Member

rubing

Posted
  • Author
Posted

To clarify:

 

If the variable is set it will be checked to see if it's a valid date? 

 

So, any input (malicious) other than a date will halt this script? 

 

And I don't really need the else statement there i guess? 

 

Thanks!

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.