SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Member
    Join Date
    Jan 2003
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Basic PHP question

    I'm a total PHP n00b so to speak! I've programmed in perl for quite a while but i think it's about time i branch out into other languages too

    Just a basic question because i'm unsure on PHP security: I have a script which passes a number through the query string then is used to get info from an array (it's actually more complex than that as it's a sort of file download script but i'm too lazy to post full details here )

    if i called the script using script.php?id=1
    and then used the query string value in the following way

    PHP Code:
    if ($id == OR $array[$id] == '') {
    // don't use ID of 0 or invalid id
    // error here

    is my script open to hacking in any way?

  2. #2
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Use $_GET['id']

    And if you're using it in any DB queries, run it through addslashes() and strip_tags()
    Mike
    It's not who I am underneath, but what I do that defines me.

  3. #3
    SitePoint Member
    Join Date
    Jan 2003
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by naramation
    Use $_GET['id']

    And if you're using it in any DB queries, run it through addslashes() and strip_tags()
    Thanks for the information

  4. #4
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can someone give me an explanation as to why we want to strip_tags() data before inserting it into the database?
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  5. #5
    SitePoint Member
    Join Date
    Jan 2003
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cyborg from dh
    Can someone give me an explanation as to why we want to strip_tags() data before inserting it into the database?
    strip_tags() gets rid of HTML and PHP tags which is good as people can hack into your php scripts using javascript if you aren't careful (although i'm not entirely sure how it works, i just know it's possible!)

  6. #6
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cyborg from dh
    Can someone give me an explanation as to why we want to strip_tags() data before inserting it into the database?

    That depends whether or not you want people storing tags in the first place. In many cases, you don't want to, so you may as well strip them all. It's just an extra precaution.
    Mike
    It's not who I am underneath, but what I do that defines me.

  7. #7
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I know what it does, and why, but usually I find htmlspecialchars() more useful, as you output the data and it looks as entered.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  8. #8
    + platinum's Avatar
    Join Date
    Jun 2001
    Location
    Adelaide, Australia
    Posts
    6,441
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's useful to strip out certain tags

    I have a comments system, people can use <b>, <i>, <u>, <a> within their comments, but no other tags.

    so, strip_tags($data, "<b><i><u><a>"); is very useful in that case! Really depends on which context you're using it in. htmlspecialchars just converts, sometimes you need to "strip" clean the code of unwanted stuff rather than just convert characters

  9. #9
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what if I did

    <b onclick="window.location='http://www.[some porn site here].com/'"></b>

    I think it is overall better to use bb-code style tags.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •