timmy0320 Posted April 3, 2008 Share Posted April 3, 2008 I don't know if this is the appropriate forum or if I should have posted in mod_rewrite but it kind of pertains to both. I just have a quick question about when I use mod_rewrite to forward direct access to my *.php files to an error page since I am using 'pretty' URLs. Is it necessary for the $_GET to still be sanitized if my mod_rewrite states the following: RewriteRule ^([a-zA-Z0-9_-]+)$ index.php?p=$1 RewriteCond %{ENV:REDIRECT_STATUS} ^$ RewriteRule ^(.+)\.php$ /errors/? [NC,R=301,L] Since the mod_rewrite is using a alphanumeric with - and _ allowed and direct access to my php files are denied. It makes logical sense that I would not need to sanitize the $_GET input on the script since mod_rewrite is already doing so, but I am just need some clarification. Link to comment https://forums.phpfreaks.com/topic/99402-solved-sanitize-_get/ Share on other sites More sharing options...
Caesar Posted April 3, 2008 Share Posted April 3, 2008 If you're going to perform queries using values from $_GET...then yes. No reason not to. The very least check to make sure nothing invalid is being passed Link to comment https://forums.phpfreaks.com/topic/99402-solved-sanitize-_get/#findComment-508659 Share on other sites More sharing options...
timmy0320 Posted April 3, 2008 Author Share Posted April 3, 2008 If you're going to perform queries using values from $_GET...then yes. No reason not to. The very least check to make sure nothing invalid is being passed Well I'll be performing queries as it will be something along the lines of a URL looking like this mysite.com/2008/04/this-is-the-title Which will be in mod_rewrite as something of this nature: RewriteRule ^/([0-9]{4})/([0-9]{2})/([a-z0-9\-]+)$ /index.php?y=$1&m=$2&title=$3 Isn't mod_rewrite basically already making sure that only certain input is allowed to be passed through though? Link to comment https://forums.phpfreaks.com/topic/99402-solved-sanitize-_get/#findComment-508662 Share on other sites More sharing options...
Caesar Posted April 3, 2008 Share Posted April 3, 2008 There are always creative ways around things such as this. I wouldn't assume that anything that is passed via url or user input, is not exploitable. There really is never good enough reason not to take extra steps to ensure exploits aren't possible. <?php if(isset($_GET)) { foreach($_GET as $get_clean) { $key = key($_GET); $_GET[''.$key.''] = trim(htmlentities(strip_tags($_GET[''.$key.'']))); next($_GET); } } ?> ...or something. You can always do a lot more like look for specific things and disallow them. Like I said....I just can't think of good reasons not to cleanse anything that will be used in a db query. Link to comment https://forums.phpfreaks.com/topic/99402-solved-sanitize-_get/#findComment-508708 Share on other sites More sharing options...
timmy0320 Posted April 3, 2008 Author Share Posted April 3, 2008 Thanks, that's all I needed to know. My sanitation is a little different than yours though. <?php if (isset($_GET['yr']) && !is_num($_GET['yr']) || strlen($_GET['yr']) != 4) { // error } if (isset($_GET['mon']) && !is_num($_GET['mon']) || strlen($_GET['mon']) != 2) { // error } if (isset($_GET['title']) && !preg_match('/^[A-Za-z0-9-]+$/', $_GET['title'])) { // error } ?> Guess I should live by the "do not trust user input" even with the mod_rewrite Link to comment https://forums.phpfreaks.com/topic/99402-solved-sanitize-_get/#findComment-508711 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.