$_POST / $_GET security

[Guest edwinsweep]

hi everybody.
i have a question for you guys.
is it save to implement $_POST command in my php forum.
for example.
[code]
if (isset($_POST['action'])){
        if (($_POST['action'] == "deleterep"))
        {
            include ('../dbcon.inc.php');
            $news_id = $_POST['news_id'];
            if (isset($_POST['vfi'])){
            $vfi = $_POST['vfi'];
            }
            $alfaquery =mysql_query("SELECT alfamsg FROM forumnews WHERE news_ID = '$news_id' ");
            $alfamsg = mysql_fetch_array($alfaquery);
            if ($alfamsg['alfamsg'] == "Yes"){
            echo $alfamsg['alfamsg'].'<br>';
            $vtiquery =mysql_query("SELECT vantopicid FROM forumnews WHERE news_ID = '$news_id' ");
            $vti = mysql_fetch_array($vtiquery);
            echo 'U kunt niet het eerste orginele bericht van een onderwerp verwijderen.<br>U zult het hele onderwerp samen met de berichten van anderen moeten verwijderen!<br>';
            echo '<div align="center"><strong><a href=index.php?showtopic='.$vti['vantopicid'].'&vti='.$vti['vantopicid'].'&vfi='.$vfi.'&'. SID .' ><img src="../pictures/buttons/bluetheme/backblue.gif" border=0></a></strong>';
            die();
            }
            
            mysql_query("DELETE FROM forumnews WHERE news_ID = '$news_id' ") or die(mysql_error());
            mysql_query("UPDATE forums SET nrofreplys = nrofreplys-1 WHERE forum_id = '$vfi' ") or die(mysql_error());
            //echo $msgtext;
            //echo '<br />';
            //echo $msgtitle;
            
            if (isset($_POST['vti'])){
            $vti = $_POST['vti'];
            }
            header ('Location: index.php?showtopic='.$vti.'&vti='.$vti.'&vfi='.$vfi.'&'. SID .'');
            //header ('Location: index.php?vti='.$vti.'&vfi='.$vfi.'&showtopic='.$vti.'&' . SID . '');
            die();
        }
        }
[/code]
if somebody succeeds in sending their own $_POST info to the page,
they could very well delete every message in the forum!
does anybody know if this is a security risk, and if so what to do about it!

[zq29]

You could check that a user with authority is actually logged in before proceding to delete anything.

[alpine]

and its a good approach to ALWAYS filter the variables even if it comes from hidden fields or the form is restricted to logged in users only.
For example if you are expecting a number in variable $id, check that it is a number before using it inside a query
[code]
if(is_numeric($id))
{
// ok
}
else
{
// fail
}

// or set as integer makes it harmless, returning only numbers

$id = "45678'#--";
settype($id,"integer");
// returning 45678

$id = "45'678";
settype($id,"integer");
// returning 45 as it cuts off at the first non int value
[/code]

For any other string (text or mix) there is several options on how to do this, here is two of them - look it up in the [a href=\"http://www.php.net\" target=\"_blank\"]Manual[/a] for description and more optional functions
[code]
$string = htmlspecialchars($_POST['string'];
$string = strip_tags($_POST['string'];
[/code]

I would never use just $string = $_POST['string'] (or any other Predefined Variables) when working against a database query in particular. You might become a victim of [a href=\"http://www.unixwiz.net/techtips/sql-injection.html\" target=\"_blank\"]Sql injection[/a]

An other issue is CSRF , here is one article on furter [a href=\"http://www.squarefree.com/securitytips/web-developers.html\" target=\"_blank\"]security[/a]