开发者

$_GET php security

问答 作者:

Do coding this way pose any security risks?

$test = $_GET['test']开发者_开发百科;
if($test) { 
$sql = mysql_query("SELECT * FROM tbl WHERE col2 = 'ABC'");
$row ...
}

No, The code above does not have any security hole since you are not using the GET variable in any mysql query.

Look here for other security concerns 

$test = $_GET['test']; if($test) { $sql = mysql_query("SELECT * FROM tbl WHERE col2 = 'ABC'"); $row ... }

if your $_GET is number same id can use

if(!is_numeric($test)){"echo "not numeric " ; } else { your code }

if your $_GET string you can use

function security ($test) { $test = str_replace ("""" , "" ,$test ); $test = str_replace ("<" , "" ,$test ); $test = str_replace (">" , "" ,$test ); $test = str_replace ("//" , "" ,$test ); $test = str_replace ("\" , "" ,$test ); $test = str_replace ("''" , "" ,$test ); $test = str_replace ("%" , "" ,$test ); $test = str_replace ("^" , "" ,$test ); $test = str_replace ("or" , "" ,$test ); $test = str_replace ("&" , "" ,$test ); $test = str_replace ("and" , "",$test );

return $test ; }

$test = security($test);
$sql = mysql_query("SELECT * FROM tbl WHERE col2 = 'ABC'");
$numrow = mysql_num_rows($sql);

if($numrow==0) { echo "error post" ; }
else { your code }

No, you're only using $_GET to evaluate if the variable is true or false.

If you were to use it, unescaped, in your query just or even just echo it for the user, it would.

Not nescesairily. But you provide too little to be sure. In general there are problems when you insert data from $_GET or $_POST into your sql (SQL Injection). This gives errors when people will start putting SQL code in the $_GET or $_POST, this is not the case right now.

For further reading, there are few lengthy volumes to get you up to speed on XSS and security:

  • http://phpsec.org/projects/guide/
  • http://php.robm.me.uk/
  • https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

As long as you don't really mind if $test is true or false (and therefore if the code runs or not) then no there's no security risk to just testing the value.

Only if the $_GET variable your testing for gives the user some sort of secret information from the database. But as the others have said this way your not open to SQL injection.

But without more information it's a bit hard to comment on the security of the script. As Security encompasses a large field and we are only able to comment on the code you gave us.

$_GET[ "" ] is already escaped depending on your version if you are requiring to use it in a mysql query, read [5.3 deprecrated] http://www.php.net/manual/en/function.set-magic-quotes-runtime.php to find out more about how quotes are escaped.

also depending on your error_reporting function you might want to do a 

if(
   isset($_GET['test']) &&
   $_GET['test']!=''
){
   $test=$_GET['test'];

   #...
}

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9