SitePoint Sponsor

User Tag List

Page 1 of 3 123 LastLast
Results 1 to 25 of 62
  1. #1
    SitePoint Guru hisham777's Avatar
    Join Date
    Dec 2005
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    how to make GET safe

    Hello,

    a lot of programmers especially new once use GET method for links...etc

    but this can result in a lot of security issues.

    How do you secure the information that the browser send to the script?

    Thanks
    Never be shy to ask silly Qs
    An answer is always better than none

  2. #2
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,423
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    Same as you would for POST. Validate the data. If a variable doesn't contain a valid value then throw an error.

  3. #3
    Codehead. hamidof's Avatar
    Join Date
    Dec 2005
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No sensitive data in URL, or GET, it has to just contain cat_id=3, action=delete kind of thing!

  4. #4
    SitePoint Guru hisham777's Avatar
    Join Date
    Dec 2005
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stymiee
    Same as you would for POST. Validate the data. If a variable doesn't contain a valid value then throw an error.
    you mean using Regular Expressions to limit the information that the script get from the browser?

    care to give few examples for myself and newbies
    Never be shy to ask silly Qs
    An answer is always better than none

  5. #5
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,423
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    That will vary depending on what you are expecting. If you are expecting a variable to contain only numbers cast it to an integer and then validate that it is in the bounds that you are expecting. If it is a string that should be no longer then 10 characters, use substr to remove anything over 10 characters. If a variable should have only a few possible values make sure that it contains only one of those possible values. Etc...

  6. #6
    PHP Brainiac dg_den_golotyuk's Avatar
    Join Date
    Jul 2006
    Location
    Kiev, Ukraine
    Posts
    335
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also you can use different forms of duplex (that will allow decoding) encodings, like base64. But always you must do GET parameters checks (those you are using) - on every page. And be carefull. Site visitors are very curious people
    DG [Den Golotyuk], Lead Developer
    Chestnut Software
    Avoid web outsourcing scams!
    Click here
    for a free downloadable report

  7. #7
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rule #1: Never trust user input.

  8. #8
    SitePoint Addict GeertDD's Avatar
    Join Date
    Feb 2005
    Location
    Belgium
    Posts
    334
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A practical example that I use a lot:
    PHP Code:
    // initialize page variable
    $page = (!empty($_GET['page'])) ? $_GET['page'] : 'home';

    // pick a page
    switch ($page) {

      case 
    'home'/* home page stuff */ break;
      case 
    'products'/* */ break;
      case 
    'about-us'/* */ break;

      
    // don't accept any other values
      
    default: /* error 404 for example */


  9. #9
    SitePoint Guru hisham777's Avatar
    Join Date
    Dec 2005
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nice thanks all,

    different ways to solve a problem. I think that’s what makes difference between the good programmers and the beginner once.



    Keep the ways coming its good for a person like me to see this solutions it will expose me for the possibilities of finding different approaches to solve problems, as well for who is just starting the road to the PHP world of programming to have an idea on the possibilities better then a lot of tutorials on line that still teach the old and the same methods of connecting to DB with out considering that there are beginners who do not understand the security issues in following such tutorials (no offence for the owners )




    thanks, more if you my please
    Never be shy to ask silly Qs
    An answer is always better than none

  10. #10
    SitePoint Guru hisham777's Avatar
    Join Date
    Dec 2005
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by GeertDD
    A practical example that I use a lot:
    PHP Code:
    // initialize page variable
     
    $page = (!empty($_GET['page'])) ? $_GET['page'] : 'home';
     
     
    // pick a page
     
    switch ($page) {
     
       case 
    'home'/* home page stuff */ break;
       case 
    'products'/* */ break;
       case 
    'about-us'/* */ break;
     
       
    // don't accept any other values
       
    default: /* error 404 for example */
     

    thanks, new approch for me.
    Never be shy to ask silly Qs
    An answer is always better than none

  11. #11
    SitePoint Zealot
    Join Date
    Sep 2004
    Location
    Boston
    Posts
    174
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    An easy way to validate your data for integers:

    PHP Code:
    if(isset($_GET['a']) and ctype_digit((string)$_GET['a'])){
       
    // OK, all digits
    }else{
       
    // contains non-numeric characters.

    You could also try this, although it's slower:

    PHP Code:
    $a preg_replace('/\D/','',@$_GET['a']);

    if(
    $a != ''){
       
    // numbers only
    }else{
       
    // no numers at all.

    Watch out for the @ in the second example so you don't throw a warning if there's no $_GET['a'].

  12. #12
    SitePoint Guru hisham777's Avatar
    Join Date
    Dec 2005
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    any good source for regular expressions? am bad for my understanding this means

    ^[a-zA-Z0-9 ]+$

    letters Upper and lower alowed as well as numbers and spaces.(i think)

    liable sources please. any?
    or maybe a tool ?
    Never be shy to ask silly Qs
    An answer is always better than none

  13. #13
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I wonder....

    Is there any way to pass a variable from one page to another without $_GET, or using a form?

    I mean it would be cool to have a code like this
    PHP Code:
    <?
    $foo 
    bar;
    echo 
    "<a href=\"";
    $_PASS['$foo']TO['page.php'];
    echo 
    "\">click</a>";
    ?>
    which would give out the HTML:
    Code:
    <a href="page.php">
    I think that would be handy for the next php version.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  14. #14
    SitePoint Wizard Dean C's Avatar
    Join Date
    Mar 2003
    Location
    England, UK
    Posts
    2,906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    gdtrfb - why do that when you can simply do:

    PHP Code:
    if(empty(intval($_REQUEST['var']))) {
      
    // bad
    } else {
     
    // good 


  15. #15
    SitePoint Wizard Dean C's Avatar
    Join Date
    Mar 2003
    Location
    England, UK
    Posts
    2,906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by arkinstall
    I wonder....

    Is there any way to pass a variable from one page to another without $_GET, or using a form?

    I think that would be handy for the next php version.
    http://uk.php.net/manual/en/features.sessions.php

  16. #16
    SitePoint Zealot
    Join Date
    Sep 2004
    Location
    Boston
    Posts
    174
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dean C
    gdtrfb - why do that when you can simply do:

    PHP Code:
    if(empty(intval($_REQUEST['var']))) {
      
    // bad
    } else {
     
    // good 

    Mmmmm, intval(). Never used it. Looks like I'll start. Anything for cleaner code!

  17. #17
    SitePoint Addict GeertDD's Avatar
    Join Date
    Feb 2005
    Location
    Belgium
    Posts
    334
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by gdtrfb
    Mmmmm, intval(). Never used it.
    Very useful function. If you pass a numeric ID via $_GET, for example, you could completely clean it like this:

    PHP Code:
    // cast to integer, and don't allow negative integers
    $id = (int) abs($_GET['id']); 

  18. #18
    SitePoint Guru hisham777's Avatar
    Join Date
    Dec 2005
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by arkinstall
    I wonder....

    Is there any way to pass a variable from one page to another without $_GET, or using a form?

    I mean it would be cool to have a code like this
    PHP Code:
     <?
     $foo 
    bar;
     echo 
    "<a href=\"";
     
    $_PASS['$foo']TO['page.php'];
     echo 
    "\">click</a>";
     
    ?>
    which would give out the HTML:
    Code:
    <a href="page.php">
    I think that would be handy for the next php version.

    AMIN
    Never be shy to ask silly Qs
    An answer is always better than none

  19. #19
    SitePoint Guru hisham777's Avatar
    Join Date
    Dec 2005
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    from PHP.net

    Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.


    so how would that works with URLs and passing variables on the URLs spacially links. ?!!
    Never be shy to ask silly Qs
    An answer is always better than none

  20. #20
    SitePoint Enthusiast agentolivia's Avatar
    Join Date
    Jul 2003
    Posts
    66
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by hisham777
    Hello,

    a lot of programmers especially new once use GET method for links...etc

    but this can result in a lot of security issues.

    How do you secure the information that the browser send to the script?

    Thanks
    I love using the URL as a source for variables. I'm just really careful about filtering and validating, but it makes for an essentially error-free website experience for the user and safe one for the developer.

    I use a combination of the PathVars class[1], the Dispatch method[2], htaccess[3], a CleanVar[4] function, and filtering, filtering and more filtering[5].
    • I use an htaccess page to route all requests to the dispatch.php page.
    • I use the dispatch page to retrieve a variable from a specific segment or "path" of the URL and I use that variable as a "switch" to include the page I want to serve.
    • On the served page (let's say a products page), I check the URL again for a "PathVar", filter it, escape it, put it in a $clean[] array, and check the value in the database, if it's valid, deliver, for example, the specific product page, if not, tell the visitor, "Sorry, no products were found."
    I do the the same thing for a shopping cart. If I'm expecting a number in the URL path variable (i.e. quantity), I actually strval(intval()) it, then CleanVar() it (essentially mysql_real_escape_string()), before I enter it into my shopping cart table along with the session.

    I used this method for thetraits.org. For example, notice that...
    http://www.thetraits.org/products/see/16128

    ...gets you to the product detail page for Wee Can Write, but adding nonsense to the end of the url (where the ID # is expected) will get you "Sorry no products were found" instead of a 404 "Page Not Found" error.
    http://www.thetraits.org/products/see/dasdfiudf

    But I'm rambing. Here's are the resources I got these ideas from:
    [1,2] PathVars class - The PHP Anthology by Harry Fuecks (Sitepoint), chapter 9, "Web Page Elements", section, "How do I make “search engine friendly” URLs in PHP?"

    [2] I use the .htaccess to route requests to the appropriate dispatch page. There's an example in the chapter cited above.

    [3] The CleanVar function came from somewhere in this forum, if I recall.

    Code:
    function safeEscapeString($string) 
      {
      	if  (get_magic_quotes_gpc()) {
      		return $string;
      	} else {
      		return mysql_real_escape_string($string);
      	}
      }
      
      function cleanVar ($string) {
      	$string = trim($string);
      	$string = safeEscapeString($string);
      	$string = htmlentities($string);
      	return $string;
      }

    [4] There's already been some good examples of filtering in this thread. Mostly the initial idea for most of my filters comes from Chris Shiflett's PHP Security handbook that was passed out at his workshop at OSCON 2004 and now has been published as a book. You can find some code examples at the book's site here:
    http://phpsecurity.org/code


    Also, since we're kinda on the subject, another good resource on security is David Sklar on "PHP and the OWASP Top Ten Security Vulnerabilities"
    http://www.sklar.com/page/article/owasp-top-ten

    I will now cease rambling.

  21. #21
    SitePoint Enthusiast
    Join Date
    Jul 2006
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Always validate any data that comes into your server, whether its GET, POST, COOKIE or whatever.
    JROX.COM Affiliate Manager
    Free Affiliate Management System

  22. #22
    Non-Member I87's Avatar
    Join Date
    Mar 2006
    Location
    UK
    Posts
    378
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if you know the _GET will be numbers, the easiest way to "sterilize" it would be to use (int)

    eg

    PHP Code:
    $foo = (int) $_GET['foo']; 

  23. #23
    SitePoint Zealot
    Join Date
    Jul 2006
    Location
    Serbia
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Point is that you must handle all events if you wont to be safe. Now we have problem to catch all events but that is another story ...

  24. #24
    SitePoint Addict Iceman90's Avatar
    Join Date
    Mar 2006
    Location
    Calgary, Alberta, Canada
    Posts
    391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should always use error checking for your $_GET variables. It could be something as simple as this:

    PHP Code:
    $variable $_GET['variable'];

    if(
    $variable=='category1'){
    echo 
    "<p>some text</p>";
    }
    else{
    echo 
    "<p>You broke the Internet.</p>";

    or, you could use ereg and eregi expressions to check if the variable contains only text (for example).

  25. #25
    SitePoint Guru hisham777's Avatar
    Join Date
    Dec 2005
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by agentolivia
    I love using the URL as a source for variables. I'm just really careful about filtering and validating, but it makes for an essentially error-free website experience for the user and safe one for the developer.

    I use a combination of the PathVars class[1], the Dispatch method[2], htaccess[3], a CleanVar[4] function, and filtering, filtering and more filtering[5].
    • I use an htaccess page to route all requests to the dispatch.php page.
    • I use the dispatch page to retrieve a variable from a specific segment or "path" of the URL and I use that variable as a "switch" to include the page I want to serve.
    • On the served page (let's say a products page), I check the URL again for a "PathVar", filter it, escape it, put it in a $clean[] array, and check the value in the database, if it's valid, deliver, for example, the specific product page, if not, tell the visitor, "Sorry, no products were found."
    I do the the same thing for a shopping cart. If I'm expecting a number in the URL path variable (i.e. quantity), I actually strval(intval()) it, then CleanVar() it (essentially mysql_real_escape_string()), before I enter it into my shopping cart table along with the session.

    I used this method for thetraits.org. For example, notice that...
    http://www.thetraits.org/products/see/16128

    ...gets you to the product detail page for Wee Can Write, but adding nonsense to the end of the url (where the ID # is expected) will get you "Sorry no products were found" instead of a 404 "Page Not Found" error.
    http://www.thetraits.org/products/see/dasdfiudf

    But I'm rambing. Here's are the resources I got these ideas from:
    [1,2] PathVars class - The PHP Anthology by Harry Fuecks (Sitepoint), chapter 9, "Web Page Elements", section, "How do I make “search engine friendly” URLs in PHP?"

    [2] I use the .htaccess to route requests to the appropriate dispatch page. There's an example in the chapter cited above.

    [3] The CleanVar function came from somewhere in this forum, if I recall.

    Code:
    function safeEscapeString($string) 
        {
        	if  (get_magic_quotes_gpc()) {
        		return $string;
        	} else {
        		return mysql_real_escape_string($string);
        	}
        }
        
        function cleanVar ($string) {
        	$string = trim($string);
        	$string = safeEscapeString($string);
        	$string = htmlentities($string);
        	return $string;
        }

    [4] There's already been some good examples of filtering in this thread. Mostly the initial idea for most of my filters comes from Chris Shiflett's PHP Security handbook that was passed out at his workshop at OSCON 2004 and now has been published as a book. You can find some code examples at the book's site here:
    http://phpsecurity.org/code


    Also, since we're kinda on the subject, another good resource on security is David Sklar on "PHP and the OWASP Top Ten Security Vulnerabilities"
    http://www.sklar.com/page/article/owasp-top-ten

    I will now cease rambling.
    Very informative and good links
    am bookmarking this thread.


    Thanks
    Never be shy to ask silly Qs
    An answer is always better than none


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •