rubing Posted February 29, 2008 Share Posted February 29, 2008 I am trying to use checkdate() to make sure the user entered a valid date instead of something malicious in the url. In the url i have the _GET variable: year='user-selected date' in my php script i have a checkdate() function, which seems to be doing its job, HOWEVER if i place a semicolon at the end of the year in the url, it sends me to a page with a wrong date of DEC 31st. how do i filter this potenially malicious input? how is checkdate() being overriden? Link to comment https://forums.phpfreaks.com/topic/93732-checkdate-fooled-by/ Share on other sites More sharing options...
obsidian Posted February 29, 2008 Share Posted February 29, 2008 You may need to share some code with us. To use checkdate(), you are required to provide a month, day and year. If the user is simply providing a year, you could get by with a much simpler check to see that their provided year contains only digits (or whatever). Then, you can build your dates and possibly use strtotime() for an easier comparison depending on what you are trying to do. Link to comment https://forums.phpfreaks.com/topic/93732-checkdate-fooled-by/#findComment-480289 Share on other sites More sharing options...
rubing Posted February 29, 2008 Author Share Posted February 29, 2008 I know i can validate this input with a regex, however am confused why checkdate() wouldn't work here. Basically a user clicks on a link that uses $_GET in order to send the date. Here is my code: (again it works fine except when I attempt to hack the URL by inserting a semicolon in certain places in the year variable) $dt=$_GET['year']; $arr=split("-",$dt); // splitting the array $yy=$arr[0]; // first element of the array is year $mm=$arr[1]; // second element is month $dd=$arr[2]; // third element is date If(!checkdate($mm,$dd,$yy)){ echo "invalid date"; exit; } Link to comment https://forums.phpfreaks.com/topic/93732-checkdate-fooled-by/#findComment-480315 Share on other sites More sharing options...
obsidian Posted February 29, 2008 Share Posted February 29, 2008 Hard to say why checkdate allows that, but a much easier way to do what you are attempting is as follows. Now, this is assuming, based on your current code, that the year is in YYYY-MM-DD format (or any other human readable format, for that matter): <?php $date = isset($_GET['year']) ? $_GET['year'] : NULL; // default to null if (FALSE == ($ts = strtotime($date))) { // Invalid date provided } else { // Good to go! } ?> Link to comment https://forums.phpfreaks.com/topic/93732-checkdate-fooled-by/#findComment-480353 Share on other sites More sharing options...
rubing Posted February 29, 2008 Author Share Posted February 29, 2008 To clarify: If the variable is set it will be checked to see if it's a valid date? So, any input (malicious) other than a date will halt this script? And I don't really need the else statement there i guess? Thanks! Link to comment https://forums.phpfreaks.com/topic/93732-checkdate-fooled-by/#findComment-480387 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.