Custom CMS

Well, imo. When it comes to the $_GET parameter, you should be validating to make sure it meets your standards.

Let’s say cat is suppose to be a number, but someone tried passing a letter or even \1, let’s take it 1 step at a time.

filename: index.php

<?php
if(isset($_GET['cat'])) {

    if(is_numeric($_GET['cat'])) {

        print($_GET['cat']);

    } else {

        print('Not a number');

    }

} else {

    print('$_GET parameter is not set');

}

In the above snippet starting from the first if statement, we check to see if the $_GET parameter exists first, if not. They’re not looking for cat. This could be the home page of index.php.

Next, we check to see if cat is a numeric character.

PLEASE NOTE


is_numeric will only allow numeric characters, however it also allows decimals to be in there for some odd reason. I don’t know why. I’ve tested is_int and is_integer and they both reject a single string integer. Only one that allows integers is is_numeric.

But we only want whole numbers, no problem though. We can do some more validating.

<?php
if(isset($_GET['cat'])) {

    if(is_numeric($_GET['cat'])) {

        if(strpos($_GET['cat'], '.') === false) {

            print($_GET['cat']);

        } else {

            print('Numeric, but it has a decimal. We only want whole numbers.');

        }

    } else {

        print('Not a number');

    }

} else {

    print('$_GET parameter is not set');

}

Using the magic touch of strpos, we can define a string or a character in the $_GET parameter to see if that defined string or character exists within the $_GET parameter. In this case, we are just looking for the period so we just need to define that period.

For strpos, === false means false. !== false means true. You can’t do === true or !== true for some reason. It’ll give you a totally different result than what you want.

Then we simply use this layout to determine if the user’s input is a valid number. If it isn’t, give them those custom errors. If it is, you can then set a variable such as the one in the earlier snippet forcing the variable to be an integer. This will make things more easier.

that’s because strpos returns the position in the string where it finds the result if it finds it

you get either an integer or false - never true

So simply my validation function for not input special characters like html tags ,wide spaces fails in this case? . Need to proceed and include your snippet in validating GET variables.

What about casting this GET var to (int) if i decide it should be an integer and nothing more than that?

    $_GET[‘cat’] = (int) $_GET[‘cat’]   

I realize that this if off-topic but no. Forcing the server to hash million byte passwords will take considerable resources, resources that should be used to process requests. This is the very definition of denial of service. And remember that some of your script kiddies control tens of thousands of computers.

Ah, I see. Now I’m starting to look like a bad tutor.

I would assume to say so. If the $_GET parameter is empty after all of your validating, but the user has specified something other than special characters in the $_GET parameter, something is wrong with your code.

I guess you could use that as well. That would basically reduce the whole messy snippet I made to a single line.

If you’re talking in the context of GET variables, it’s because they are always the string type.

http://php.net/manual/en/reserved.variables.get.php

Note:
The GET variables are passed through urldecode().

http://php.net/manual/en/function.urldecode.php

Return Values

Returns the decoded string.

The right hand side of that is the correct way of sanitizing a string that should be an integer. You should use an untainted variable on the left rather than a tainted one as the code is performing the necessary sanitizing to ensure that the result is untainted. If you simply put it back in a tainted field then you can’t tell in the rest of the code whether the sanitizing has already been done or not.

i manage to test my custom made function and does it really do what i want . i manage to input from the GET ARRAY all kinds of thing like html tags,special characters and other symbols that can compromise my server or database

function norm($var) {

$dbc= new Connect();
$var = mysqli_real_escape_string($dbc,$var)
$var = stripcslashes($var);
$var = htmlspecialchars($var);
$var = trim($var);
return $var; //cleaned var //  

}
#Cleaning the GET Vars that we need :
# Then set default page to display:
# if we are not on  any of our pages :
/////////////////////////////////////////////////////////////////
$_GET['page']= (int) norm((isset($_GET['page']) ? $_GET['page']  : ''));
	if ($_GET['page'] == '') {
	    $_GET['page'] = 1;
} 
/////////////////////////////////////////////////////////////////
$_GET['cat']=  norm((isset($_GET['cat']) ? $_GET['cat']  : ''));
//////////////////////////////////////////////////////////////////
$_SESSION['email']=  norm((isset($_SESSION['email']) ? $_SESSION['email']  : '')); 

this is the variables at the moment that i need if in need of more will include it here and this is separate file that i require in my objects. Tell me if i need to check for more things.

THE Result: every input was cleaned to simple ordinary (string) or (int) that deals what it supposed .

That looks really convoluted when compared to PDO and prepared statements. Not to mention using global function and with such a generic name… yuck. You would be better of using Symfony components to handle those lower level tasks and focus on application logic while in the steady hands of a tried and true framework like Symfony.

Thanks for the advice!. Will be keeping things simple.This is the basic idea.

What you’re doing may seem simple but it is not when compared to other alternative methods. One of which is using a very well documented and fully maintained framework for handling these lower tasks.

Totally agree . I don’t even want to compare them because i can’t. :smile: But like i said educational purpose and simplicity is more important for me.

Less lines of code and abstraction isn’t mutually exclusive with simplicity. Especially when it comes to the next person who will need to manage your code.

1 Like

Thanks for the “help”.

Exactly. I don’t know if this falls under the category, but that’s why I normally make a bunch of line breaks in between some of my codes. For some reason, this is a way for me to separate and maintain my code. A lot of times, my eyes hurt when I try to look at lines of codes with improper spacing & padding. For me, having a blank new line tells me that the next code will most likely be different or doing a different task. This also may help others see what I am writing and be able to tell me exactly where the problem may be instead of searching through a messy snippet. It’s really weird actually, I don’t use any of the types of programming styles. The closest would be K&R, but I still don’t follow that style. I like having my parentheses right next to my functions.

If I look at this snippet of code in a vacuum of only what’s posted there’s absolutely nothing wrong with this query. The query is selecting the title and id for all visible pages and ordering by the position column ascending. Based on that, there are no variable inputs into this query and therefore there’s no need for sanitizing anything.

If you’re using PDO and passing variables into your query, you want to use prepared statements and query parameters as they’ll handle sanitizing the input for you.

You should escape certain data on the way out such as to prevent HTML tags from affecting the layout of your site or Javascript from being rendered and executed.

However, this is not recommended or necessary:

    $pid = filter_var($r['id'], FILTER_SANITIZE_NUMBER_INT, FILTER_FLAG_STRIP_HIGH); // Force this string to be a number because it should not be anything else.

That is unnecessary because you’re retrieving a primary key “id” value which should be an unsigned integer column type on your table. Databases won’t allow you to store anything other than integers in an integer column, so you can be sure that any value pulled from that column is an integer. Furthermore, “id” columns are usually auto-incrementing set by the database and never the application. Finally, PHP is very forgiving when it comes to integers as strings. Even if that did come out as a string, it would not impact anything when rendering the value on the screen.

Only if the database call is the only thing you are doing with the data. If you have any processing at all before the database call then the data still needs to be sanitized first. Placing the sanitizing after the processing means that bad data can still crash the processing that sanitizing is supposed to protect.

The main point of this is to force any integer values to be explicitly an integer whether it is or not. Anything coming from the database should always be escaped and formatted to standards before outputting to the screen. It’s obvious that you should be using int as the datatype. However, it doesn’t stop a hacker from bypassing any MySQL data if PHP is the controller. Anything that PHP does will effect MySQL. So not forcing the value to be an integer is asking for hackers to bypass PHP and effect MySQL. MySQL can only do what PHP tells it to. It cannot stop an invasion unless the controller tells it to.

Your use of quotes around “help” implies sarcasm which is extremely rude considering @oddz not only took time to offer you advice, but gave the best advice of anyone on this thread so far.

Anyone learning PHP today is not only foolish but wasting their time if they’re not learning a framework. My personal preference right now is Laravel 5.1. The Laravel website has awesome documentation that’s very easy to understand, the community is fantastic, and http://laracasts.com is great.

That being said, it doesn’t matter what framework you use, but you should be using a framework.

I’ve done it the way you’re trying to do this and if you’re starting a new project and coding $_GET[‘anything’], manually sanitizing your data for SQL injection protection, writing out the full SQL for queries, or anything where your code is mixed in with your HTML, you’re wasting your time.

While frameworks can seem intimidating at first, if you take some time to work your way through it, it’ll pay dividends down the line. They provide a lot more scalability if your application grows, and most of the things you will want/need to do are right there already out of the box. This allows you to focus your time on your application-specific logic, rather than reinventing the wheel.

The reality of technology today is nothing is truly secure. If hackers want it bad enough, they’ll find a way in. However, most frameworks have a lot of security built in and are constantly improving. Especially as a beginner, any framework you choose will be far more secure than anything you code yourself.