SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot
    Join Date
    Feb 2009
    Posts
    135
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Quicky security question

    I've written a script where people can input a number to see specific random results. Would there be any potential issues with someone inserting code into the field?

    It's pretty much used like this:

    Code:
    $num = $_POST['a'];
    srand($num);
    echo $num;

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,140
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)
    Nothing serious that I can think of unless there's a way to enter PHP code into it and have the results output. eg. ??? -- not that it would work, but you get the idea.
    $_POST['a'] = "0);phpinfo();("

    IMHO, it would be prudent and good habit to always validate. If it's only numbers allowed you could use trim() and is_numeric() at the least.

  3. #3
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    In addition to Mittineague's excellent advice, you should also cast the variable at an Integer.

    PHP Code:
    <?php
    $num 
    = (Integer)$_POST['a'];
    srand($num);
    echo 
    $num;
    ?>
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  4. #4
    SitePoint Zealot
    Join Date
    Feb 2009
    Posts
    135
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you both! I'll be sure to do that


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •