Jump to content


$_POST / $_GET security


  • Please log in to reply
2 replies to this topic

#1 Guest_edwinsweep_*

Guest_edwinsweep_*
  • Guests

Posted 16 May 2006 - 11:44 AM

hi everybody.
i have a question for you guys.
is it save to implement $_POST command in my php forum.
for example.
if (isset($_POST['action'])){
        if (($_POST['action'] == "deleterep"))
        {
            include ('../dbcon.inc.php');
            $news_id = $_POST['news_id'];
            if (isset($_POST['vfi'])){
            $vfi = $_POST['vfi'];
            }
            $alfaquery =mysql_query("SELECT alfamsg FROM forumnews WHERE news_ID = '$news_id' ");
            $alfamsg = mysql_fetch_array($alfaquery);
            if ($alfamsg['alfamsg'] == "Yes"){
            echo $alfamsg['alfamsg'].'<br>';
            $vtiquery =mysql_query("SELECT vantopicid FROM forumnews WHERE news_ID = '$news_id' ");
            $vti = mysql_fetch_array($vtiquery);
            echo 'U kunt niet het eerste orginele bericht van een onderwerp verwijderen.<br>U zult het hele onderwerp samen met de berichten van anderen moeten verwijderen!<br>';
            echo '<div align="center"><strong><a href=index.php?showtopic='.$vti['vantopicid'].'&vti='.$vti['vantopicid'].'&vfi='.$vfi.'&'. SID .' ><img src="../pictures/buttons/bluetheme/backblue.gif" border=0></a></strong>';
            die();
            }
            
            mysql_query("DELETE FROM forumnews WHERE news_ID = '$news_id' ") or die(mysql_error()); 
            mysql_query("UPDATE forums SET nrofreplys = nrofreplys-1 WHERE forum_id = '$vfi' ") or die(mysql_error());
            //echo $msgtext;
            //echo '<br />';
            //echo $msgtitle;
            
            if (isset($_POST['vti'])){
            $vti = $_POST['vti'];
            }
            header ('Location: index.php?showtopic='.$vti.'&vti='.$vti.'&vfi='.$vfi.'&'. SID .'');
            //header ('Location: index.php?vti='.$vti.'&vfi='.$vfi.'&showtopic='.$vti.'&' . SID . '');
            die();
        }
        }
if somebody succeeds in sending their own $_POST info to the page,
they could very well delete every message in the forum!
does anybody know if this is a security risk, and if so what to do about it!

#2 Kris

Kris
  • Staff Alumni
  • Advanced Member
  • 2,755 posts
  • LocationThe Internet

Posted 16 May 2006 - 11:54 AM

You could check that a user with authority is actually logged in before proceding to delete anything.

#3 alpine

alpine
  • Members
  • PipPipPip
  • Advanced Member
  • 756 posts
  • LocationNorway

Posted 17 May 2006 - 07:00 AM

and its a good approach to ALWAYS filter the variables even if it comes from hidden fields or the form is restricted to logged in users only.
For example if you are expecting a number in variable $id, check that it is a number before using it inside a query
if(is_numeric($id))
{
// ok
}
else
{
// fail
}

// or set as integer makes it harmless, returning only numbers

$id = "45678'#--";
settype($id,"integer");
// returning 45678

$id = "45'678";
settype($id,"integer");
// returning 45 as it cuts off at the first non int value

For any other string (text or mix) there is several options on how to do this, here is two of them - look it up in the [a href=\"http://www.php.net\" target=\"_blank\"]Manual[/a] for description and more optional functions
$string = htmlspecialchars($_POST['string'];
$string = strip_tags($_POST['string'];

I would never use just $string = $_POST['string'] (or any other Predefined Variables) when working against a database query in particular. You might become a victim of [a href=\"http://www.unixwiz.net/techtips/sql-injection.html\" target=\"_blank\"]Sql injection[/a]

An other issue is CSRF , here is one article on furter [a href=\"http://www.squarefree.com/securitytips/web-developers.html\" target=\"_blank\"]security[/a]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users