Webmaster Forum

Go Back   Webmaster Forum > Web Development > Coding Forum

Coding Forum Problems with your code? Discuss coding issues, including JavaScript, PHP & MySQL, HTML & CSS, Flash & ActionScript, and more.


Reply
 
Thread Tools Display Modes
Share |
  #1  
Old 08-05-2006, 02:06 AM
Wing Chun's Avatar
Wing Chun Wing Chun is offline
Contributing Member
 
Join Date: 04-23-06
Location: Birmingham UK
Posts: 163
iTrader: 0 / 0%
security with $_GET

i've just made my first dynamic site with this code:

Code:
$blaa = array_key_exists('blaaa', $_GET) ? $_GET['blaa'] : "bleee" ; echo '$blaaa' ;

...you can type ?blaaa=xyz at the end of a url to change the echoed word in the site to xyz...etc

i'm very worried about security - how should i be receiving the code? should i use: $htmlentities() or $stripslashes() or $strip_tags() or $real_strip_slashes or something else? and in what order?

other forums haven't been much help - any examples would be particularly appreciated.
 
Reply With Quote

Advertisement

Advertisement

  #2  
Old 08-05-2006, 05:40 AM
ali_420's Avatar
ali_420 ali_420 is offline
Senior Member
 
Join Date: 06-16-06
Posts: 204
iTrader: 0 / 0%
Howdy Wing.
If all you're doing is echoing the string provided then you don't need to worry about security. Just echo whatever they provide without doing any validation. Can't hurt.

But sooner or later you're going to learn about how to make it secure. So:
Before inserting any data in the database, validate it using:
mysql_real_escape_string.
And when retreiving something from the database, use:
stripslashes
Some other useful functions:
trim
htmlentities
strip_tags
urlencode
Also I found this nice article for you:

http://www.ilovejackdaniels.com/php/writing-secure-php/

P.S You don't put a $ in front of the function names in php. Correct: strip_tags()
wrong: $strip_tags().
 
Reply With Quote
  #3  
Old 08-05-2006, 01:16 PM
Thanol's Avatar
Thanol Thanol is offline
Contributing Member
 
Join Date: 10-13-03
Posts: 829
iTrader: 0 / 0%
I use these for some public things. I think they should work with GET as well.
Code:
$_POST = array_map('strip_tags',$_POST); $_POST = array_map('htmlspecialchars',$_POST); if (!get_magic_quotes_gpc()) { $_POST = array_map('addslashes',$_POST); }
 
Reply With Quote
  #4  
Old 08-07-2006, 04:41 AM
Wing Chun's Avatar
Wing Chun Wing Chun is offline
Contributing Member
 
Join Date: 04-23-06
Location: Birmingham UK
Posts: 163
iTrader: 0 / 0%
what is the first and most important function to apply to incoming $_GET data?

cheers guys, some very useful code there...

i'm worried though - because althought i'm only "echoing" the variables that are received via $_GET, and not processing, if malicious code was sent telling my script to process then wouldn't i be in trouble? with this theory i can't see how anything is ever safe.

anyway, we gotta get on with things, so i'll try the things below - but i need to know what is the first and most secure one to use - as if i use anything else then my code might risk being compromised in that instant.

what is the first and most important function to apply to incoming $_GET data?
 
Reply With Quote
  #5  
Old 08-07-2006, 05:45 AM
ali_420's Avatar
ali_420 ali_420 is offline
Senior Member
 
Join Date: 06-16-06
Posts: 204
iTrader: 0 / 0%
Quote:
Originally Posted by Wing Chun
i'm worried though - because althought i'm only "echoing" the variables that are received via $_GET, and not processing, if malicious code was sent telling my script to process then wouldn't i be in trouble? with this theory i can't see how anything is ever safe.
Thats not possible. Even if I supply something like, ?bla=echo $password, it wouldn't actually make it echo out the value of the variable $password. The output would be just something like:

Quote:
echo $password
Try it for yourself!

Quote:
Originally Posted by Wing Chun
what is the first and most important function to apply to incoming $_GET data?
That depends on what you're doing. The first function IMO is trim(), not because of security but because it can remove any space around the variable which might cause bugs later in the code.

After that, if you're using the $_GET data for anything related to the database, you use mysql_real_escape_string on it. If the $_GET data is supposed to be a number, you do something like this:

PHP Code:
$id=trim($_GET['id']);
if (! 
is_numeric($_GET['id']))
   die(
'Try again.');
$sql="SELECT * FROM myTable WHERE someId='$id'"
Also, read the article whose link I gave you. It'll answer many of your questions.
 
Reply With Quote
  #6  
Old 08-07-2006, 06:37 AM
Wing Chun's Avatar
Wing Chun Wing Chun is offline
Contributing Member
 
Join Date: 04-23-06
Location: Birmingham UK
Posts: 163
iTrader: 0 / 0%
Quote:
Originally Posted by ali_420
PHP Code:
$id=trim($_GET['id']);
if (! 
is_numeric($_GET['id']))
   die(
'Try again.');
$sql="SELECT * FROM myTable WHERE someId='$id'"
what if the $_GET['id'] was submitted as x'])); echo 'takeover!'; ? wouldn't that cause a prob when processing the trim function?
 
Reply With Quote
  #7  
Old 08-07-2006, 06:39 AM
ali_420's Avatar
ali_420 ali_420 is offline
Senior Member
 
Join Date: 06-16-06
Posts: 204
iTrader: 0 / 0%
No it wouldn't. Php will treat it as a string and not a language command. Try it for yourself, give it that value and see what happens.
 
Reply With Quote
  #8  
Old 08-07-2006, 06:42 AM
ali_420's Avatar
ali_420 ali_420 is offline
Senior Member
 
Join Date: 06-16-06
Posts: 204
iTrader: 0 / 0%
If someone passes the value 'x'])); echo 'takeover!';' to the code I posted above, after I do mysql_real_escape_string on it, it would become x\'])); echo \'takeover!\';. The \ character tells it to escape the apostrophe, not treat it like the end of the query, etc.

And if someone passes this value to the original code you gave, which simply echoes out the value of $bla, then it would just echo out x'])); echo 'takeover!';
 
Reply With Quote
  #9  
Old 08-07-2006, 06:43 AM
Wing Chun's Avatar
Wing Chun Wing Chun is offline
Contributing Member
 
Join Date: 04-23-06
Location: Birmingham UK
Posts: 163
iTrader: 0 / 0%
i would love to think it's that simple.

are you saying that all these experienced php security professionals who worry about malicious injection have nothing really to worry about? is php naturally that simple and secure?
 
Reply With Quote
  #10  
Old 08-07-2006, 06:46 AM
Thanol's Avatar
Thanol Thanol is offline
Contributing Member
 
Join Date: 10-13-03
Posts: 829
iTrader: 0 / 0%
Quote:
Originally Posted by Wing Chun
i would love to think it's that simple.

are you saying that all these experienced php security professionals who worry about malicious injection have nothing really to worry about? is php naturally that simple and secure?
It's fairly secure if you just do a couple things here and there, should be able to block out most script kiddies, especially on newer versions of PHP.
 
Reply With Quote
  #11  
Old 08-07-2006, 06:48 AM
Wing Chun's Avatar
Wing Chun Wing Chun is offline
Contributing Member
 
Join Date: 04-23-06
Location: Birmingham UK
Posts: 163
iTrader: 0 / 0%
what "couple of things here and there" and in what order would you suggest, scott?
 
Reply With Quote
  #12  
Old 08-07-2006, 06:49 AM
ali_420's Avatar
ali_420 ali_420 is offline
Senior Member
 
Join Date: 06-16-06
Posts: 204
iTrader: 0 / 0%
Well, there are a thousand ways to break anything, but if you :
- Use mysql_escape_string() on everything that goes in the database
- Turn register_globals off.
- Not use code like :
PHP Code:
// This assumes $_GET['show'] contains something like file.html
$file=$_GET['show'];
include(
$file); 
- Validate all data, so what is supposed to be a number must be a number, etc.

And use these little tidbids of common sense, then you are protected against 99% of security issues. There are loads of other things which you learn about as you go on, but for starters what I mentioned is enough. Do a search on google about php security and you'll find tons of great material on this subject.

The summary is that yes, it really is pretty simple to keep your app safe.
 
Reply With Quote
  #13  
Old 08-07-2006, 06:53 AM
ali_420's Avatar
ali_420 ali_420 is offline
Senior Member
 
Join Date: 06-16-06
Posts: 204
iTrader: 0 / 0%
A couple of other things I can think of which can result in security issues are..
- Keep a index.html/index.php file in each directory. If not, its possible that someone goes to:
http://www.yoursite.com/directory/
and sees a list of all the files in that directory. Which might cause security problems.

- Make sure the directories which contain sensitive info like phpmyadmin, etc, are password protected.

- Don't accidently chmod any files/directories to 777.
- Validate all data. But at the same time, don't over-do it. I hate scripts which don't let me choose a password unless it starts with a number and is of exactly 6 characters length, etc.

In short, just learn the primary concepts and don't worry too much. Focus 90% your efforts on making a great product and just about 10% on making it secure (which is just about as much you need to do things like mysql_real_escape_string(), data validation, etc).
 
Reply With Quote
Go Back   Webmaster Forum > Web Development > Coding Forum

Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


V7N Network
Get exposure! V7N I Love Photography V7N SEO Blog V7N Directory


All times are GMT -7. The time now is 09:43 PM.
Powered by vBulletin
Copyright 2000-2014 Jelsoft Enterprises Limited.
Copyright © 2003 - 2018 VIX-WomensForum LLC