开发者

How can I secure my $_GETs in PHP?

My profile.php displays all the user's postings,comments,pictures. If the user wants to delete, it sends the posting's id to the remove.php so it's like remove.php?action=removeposting&posting_id=2. If they want to remove a picture, it's remove.php?action=removepicture&picture_id=1.

Using the get data, I do a query to the database to display the info they want to delete and if they want to delete it, they click "yes". So the data is deleted via $POST NOT $GET to prevent cross-site request forgery.

My question is how do I make sure the GETs are not some javascript code, sql injection that will mess me up.

here is my remove.php

    //how do I make $action safe? 
    //should I use mysqli_real_escape_string?
    //use strip_tags()?
    $action=trim($_GET['action']);

    if (($action != 'removeposting') && ($action != 'removefriend') 
    && ($action != 'removecomment'))
    {
            header("Location: index.ph开发者_运维问答p");
            exit();
    }

if ($action == 'removeposting')
{
   //get the info and display it in a form. if user clicks "yes", deletes
}

if ($action =='removepicture')
{
   //remove pic
}

I know I can't be 100% safe, but what are some common defenses I can use.

EDIT

Do this to prevent xss
$oldaction=trim($_GET['action']);
$action=strip_tags($oldaction);

Then when I am 'recalling' the data back via POST, I would use 
$posting_id = mysqli_real_escape_string($dbc, trim($_POST['posting_id']));

        if ($action == 'removeposting')
{
    //get the posting id from the user  
    $getposting_id = htmlspecialchars(trim($_GET['posting_id']));

    //basic checks for the posting id
    if (empty($getposting_id)){
        //header ("Location: index.php");
        echo '<p>Sorry, no posting was specified for removal.</p>';
        exit();
    }

    if (!is_numeric($getposting_id))
    {   
        echo "Not an integer";
        exit();
    }
        //Also have check to see if the posting_id is the user's. If so, can delete


Because you aren't storing $action and only using it in your conditional, it's not necessary to do all the trimming/stripping/escaping. The simple string comparisons is enough in terms of "safety," though I recommend using === instead of ==.

Alternatively, if you were storing a $_GET or $_POST value into an integer column of a MySQL database, for example, you could simply pass the value into intval() before storing it in the database. If you need to store plain text, just pass it through mysql_real_escape_string() before storing it. You can also use preg_match() or preg_replace() to make sure you are only storing valid values (different patterns for different uses, e.g. /^\d{5}(?:-?\d{4})?$/ for zip codes).


To prevent against any SQL injection you should use mysqli_real_escape_string OR you can use Prepared Statements that accomplish the same thing.

To prevent any javascript, you could use strip_tags in concert with htmlspecialchars.


I know I can't be 100% safe

ahahahaha :)

if your question regarding only action, and it is used only to determine the code to run, it IS safe by any means.

But some info for you:
POST doesn't prevent cross-site request forgery. unique token does.
You didn't post actual action code, so just to be sure - I hope you check user's id whan perform these actions


Use the mysqli_real_escape_string as noted elsewhere. Also, of course this does nothing to prevent XSRF. You'll need tokens containing some entropy for that.

See also: http://www.owasp.org/index.php/Main_Page


$_GET is completely safe until you try to glue (concatenate) it to the other things in your program like:

  • SQL to be executed (in which case you should use mysqli_real_escape_string() or another escaping technique that is advised with the database that you are using)
  • HTML to be outputted (in which case you should pass it through htmlspecialchars() before concatenation or printing/echoing)
  • URL to be navigated to by the user (in which case you most likely should pass it through urlencode())
  • JavaScript to be executed by the browser (in which case you should pass it through json_encode())

If you want to have an url in javascript embedded in html that you want to be inserted in database then you should pass value that you receive from $_GET (also $_POST, $_COOKIE and other similar outside sources) through all those functions in order appropriate to this scenario, namely

mysql_real_escape_string(htmlspecialchars(json_encode(urlencode($_GET['val']))));

If the only thing you do is compare your $_GET['action'] to some strings then you are perfectly safe without doing any escaping at all.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜