SitePoint Sponsor

User Tag List

Results 1 to 17 of 17
  1. #1
    SitePoint Wizard bronze trophy C. Ankerstjerne's Avatar
    Join Date
    Jan 2004
    Location
    The Kingdom of Denmark
    Posts
    2,702
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)

    $_get code security question

    I'm new to dynamic URLs, and while I seem to have figured most things out myself, I just want to know if the below code will prevent me some people injecting bad code through the URL (I tried searching the forum, with no luck - apologies if this goes in the MySQL-section):
    PHP Code:
     $page $_GET["page"];
      
    $page str_replace("\"","",$page);
      
    $page str_replace("\'","",$page);
      
    $page str_replace("\\","",$page);
      
    $page str_replace("$","",$page);
      
    $page str_replace("=","",$page);
      if(!
    $page) {
        
    $page "index";
      }

      
    $host "XXXXX";
      
    $username "XXXXX";
      
    $password "XXXXX";
      
    $database "XXXXX";

      
    $link mysql_connect($host,$username,$password);
      
    mysql_select_db($database);
      
    $result mysql_query("SELECT * FROM database WHERE pagename = '$page'");

      
    $pagename mysql_result($result,$i,"pagename");
      
    $title mysql_result($result,$i,"title");
      
    $subtitle mysql_result($result,$i,"subtitle");
      
    $pretext mysql_result($result,$i,"pretext");
      
    $photographs mysql_result($result,$i,"photographs");
      
    $posttext mysql_result($result,$i,"posttext");

      if(!
    $title) {
        
    $title "No such page";
      }

      
    mysql_close($link); 
    Thanks in advance!
    Christian Ankerstjerne
    <p<strong<abbr/HTML/ 4 teh win</>
    <>In Soviet Russia, website codes you!

  2. #2
    Who turned the lights out !! Mandes's Avatar
    Join Date
    May 2005
    Location
    S.W. France
    Posts
    2,496
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You might want to add some of the standard SQL directives in your list 'WHERE', 'AND', 'OR', etc.

    Depending on what your calling your pages a better way would be to just accept inputs that match your page names. Its always easier to allow what you know then block what you dont .
    A Little Knowledge Is A Very Dangerous Thing.......
    That Makes Me A Lethal Weapon !!!!!!!!

    Contract PHP Programming

  3. #3
    SitePoint Wizard bronze trophy C. Ankerstjerne's Avatar
    Join Date
    Jan 2004
    Location
    The Kingdom of Denmark
    Posts
    2,702
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your input. I'll add the SQL commands to the list.

    I could probably make an array of the page names, and verify against that, but since I'll be adding page names ad hoc manually in the database, this could become tedious to update (plus, I'm doing this for a smaller website right now, but I am considering using it for larger websites in the future, which would require a lather large array).
    Christian Ankerstjerne
    <p<strong<abbr/HTML/ 4 teh win</>
    <>In Soviet Russia, website codes you!

  4. #4
    Who turned the lights out !! Mandes's Avatar
    Join Date
    May 2005
    Location
    S.W. France
    Posts
    2,496
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by C. Ankerstjerne View Post
    I could probably make an array of the page names, and verify against that, but since I'll be adding page names ad hoc manually in the database, this could become tedious to update (plus, I'm doing this for a smaller website right now, but I am considering using it for larger websites in the future, which would require a lather large array).

    Sorry I didnt make myself clear, (I knew what I was thinking ).

    I wasnt suggesting that you make an array with all your pages in. More that you check the format of the request coming in.

    If all your page names are numerical, eg, 123.php, 124.php, you could check that the passed information contains only numbers, if they follow a pattern, AB123.php , check for txo uppercase letters followed by 3 numbers.

    Hope thats clearer now
    A Little Knowledge Is A Very Dangerous Thing.......
    That Makes Me A Lethal Weapon !!!!!!!!

    Contract PHP Programming

  5. #5
    SitePoint Wizard bronze trophy C. Ankerstjerne's Avatar
    Join Date
    Jan 2004
    Location
    The Kingdom of Denmark
    Posts
    2,702
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Unfortunately it's neither - I use meaningful page names (i.e. 'index', 'about', 'photographs', etc.). I could use index numbers, but because I may have to use this method on a server which doesn't allow .htaccess (i.e. no mod_rewrite), I prefer to have dynamic URLs which are, to some extent, SEO-friendly.
    Christian Ankerstjerne
    <p<strong<abbr/HTML/ 4 teh win</>
    <>In Soviet Russia, website codes you!

  6. #6
    Who turned the lights out !! Mandes's Avatar
    Join Date
    May 2005
    Location
    S.W. France
    Posts
    2,496
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    OK, so you could perhaps check all lowercase alphas, no punctuation, no spaces ??
    A Little Knowledge Is A Very Dangerous Thing.......
    That Makes Me A Lethal Weapon !!!!!!!!

    Contract PHP Programming

  7. #7
    SitePoint Wizard bronze trophy C. Ankerstjerne's Avatar
    Join Date
    Jan 2004
    Location
    The Kingdom of Denmark
    Posts
    2,702
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Good idea - I'll look into implementing those (either through verification or replacement).
    Christian Ankerstjerne
    <p<strong<abbr/HTML/ 4 teh win</>
    <>In Soviet Russia, website codes you!

  8. #8
    SitePoint Evangelist superuser2's Avatar
    Join Date
    Aug 2006
    Posts
    598
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Look into mysql_real_escape_string and htmlentites. They help a whole lot with SQL injection and XSS. No need to re-invent the wheel, they are standard PHP functions.

  9. #9
    SitePoint Wizard bronze trophy C. Ankerstjerne's Avatar
    Join Date
    Jan 2004
    Location
    The Kingdom of Denmark
    Posts
    2,702
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Thank you!
    Christian Ankerstjerne
    <p<strong<abbr/HTML/ 4 teh win</>
    <>In Soviet Russia, website codes you!

  10. #10
    SitePoint Evangelist mrwooster's Avatar
    Join Date
    Jan 2006
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by superuser2 View Post
    Look into mysql_real_escape_string and htmlentites. They help a whole lot with SQL injection and XSS. No need to re-invent the wheel, they are standard PHP functions.
    I agree - as far as I know, I believe you can prevent injection and XSS simply by applying standard PHP functions.

    See http://phpsec.org/ for php security
    http://unixwiz.net/techtips/sql-injection.html - for info about sql injection
    http://blog.bitflux.ch/http:/blog.bi...revent-it.html - Info about XSS
    http://ha.ckers.org/xss.html - Examples of possible XSS


    Good luck

    Guy

  11. #11
    SitePoint Evangelist
    Join Date
    May 2006
    Location
    Austin
    Posts
    401
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You could also just use a regex to make sure that the page variable looks like xxxx.xxx, and doesn't contain anything else. It should be really easy to use preg_match to validate that way.
    Merchant Equipment Store - Merchant Services, POS, Equipment, and supplies.
    Merchant Account Blog | Ecommerce Blog

  12. #12
    SitePoint Wizard bronze trophy C. Ankerstjerne's Avatar
    Join Date
    Jan 2004
    Location
    The Kingdom of Denmark
    Posts
    2,702
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Again, thanks for your help. I'll definately look into the ideas presented here.
    Christian Ankerstjerne
    <p<strong<abbr/HTML/ 4 teh win</>
    <>In Soviet Russia, website codes you!

  13. #13
    SitePoint Wizard bronze trophy C. Ankerstjerne's Avatar
    Join Date
    Jan 2004
    Location
    The Kingdom of Denmark
    Posts
    2,702
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    I've looked into preg_match, but I can't get it to work. I've tried to use the following syntax, but I can't get it to return anything but 0 (I haven't worked with regular expressions before, so bear with me )
    PHP Code:
     $page $_GET["page"];
     if(!
    preg_match("^[a-z]$",$page)) {
      
    $page "";
     } 
    Christian Ankerstjerne
    <p<strong<abbr/HTML/ 4 teh win</>
    <>In Soviet Russia, website codes you!

  14. #14
    SitePoint Evangelist mrwooster's Avatar
    Join Date
    Jan 2006
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Only taking a guess, but try:

    PHP Code:
     $page $_GET["page"];
     if(!
    preg_match("/^[a-z]$/",$page)) {
      
    $page "";
     } 

    With the '/' slashes.

  15. #15
    SitePoint Enthusiast
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    72
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why don't you use ctype_alpha in this case? http://nl3.php.net/ctype-alpha

  16. #16
    SitePoint Wizard bronze trophy C. Ankerstjerne's Avatar
    Join Date
    Jan 2004
    Location
    The Kingdom of Denmark
    Posts
    2,702
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    mrwooster
    No luck with that one, unfortunately.

    Peter
    That should work for most of the cases, but I might also need to use numbers in some of the page names (so my regex example should rather be along the lines of ^[a-z0-9]$).
    Christian Ankerstjerne
    <p<strong<abbr/HTML/ 4 teh win</>
    <>In Soviet Russia, website codes you!

  17. #17
    SitePoint Wizard bronze trophy C. Ankerstjerne's Avatar
    Join Date
    Jan 2004
    Location
    The Kingdom of Denmark
    Posts
    2,702
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    I got it to work by using preg_replace:
    PHP Code:
    $page $_GET["page"];
    $page strtolower($page);
    $page preg_replace("`[^a-z0-9]`","",$page); 
    This should also have the advantage, that if the page is linked to from a forum, and some characters are appended by accident (such as '.' or ',', as happens when URLs are parsed automatically, the user will still arrive at the correct page.

    Thanks to everyone above for their help
    Christian Ankerstjerne
    <p<strong<abbr/HTML/ 4 teh win</>
    <>In Soviet Russia, website codes you!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •