homepage Welcome to WebmasterWorld Guest from 50.17.162.174
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
PHP Variable Verification
Making My Site More Secure
wfernley




msg:1314617
 6:05 pm on Jun 24, 2004 (gmt 0)

Hi everyone.

It has been a while since I have been on these forums, it feels good to be back :)

Currently I am working for a company and I have their site up and running. I do have a major security issue though that I need to resolve immediatly.

The problem I am having is I have no verification of variables sent from page to page. For example if someone clicks on a link which leads to a product category the addressbar reads details.php?catid=5. Now if they were to go and change the address bar to details.php?catid=5;drop database DBNAME; then that would pose a big security risk for me.

I don't know much on this subject so I need some help on how I could make sure this security risk can be resolved. Another thing which I might as well ask is...... I hear having less php code in the address bar and more of a description of what you are offering is good for search engines. Basically instead of having products.php?product_id=5 having products/networking/linksysrouter/ is best for SEO.

I plan on changing my site to scrap the PHP code, but what I'm wondering is if it would be best to just do it now, while I am doing the changes for the variable verification.

Thanks everyone for your help on this matter :)

Wes

 

m_shroom




msg:1314618
 3:45 am on Jun 25, 2004 (gmt 0)

You should work with Globals=off in your php config file.
Then no user (hacker) variables are passed directly to your script.

You must ask for each one you want with ($action=$HTTP_GET_VARS["action"];)

Netizen




msg:1314619
 1:43 pm on Jun 25, 2004 (gmt 0)

Turninf globals off wouldn't help in this instance. You need to check that the value of the parameter passed is indeed what you expect. In this case you are expecting a number so you can do

if (is_int($_GET['id'])) {
$id=$_GET['id'];
} else {
$id=1;
}

which would default all random stuff to id 1. If you want to be slightly fuzzier you could do something like

$id=preg_replace("/[^0-9]/",$_GET['id']);

if (empty($id)) {
$id=1;
}

which has the same affect but will also convert "5; drop table blah" into 5.

Hope that helps.

wfernley




msg:1314620
 2:29 pm on Jun 25, 2004 (gmt 0)

OK Great thanks for your posts :)

I do have register globals off and I don't plan on turning it on.

What about converting the address bar php code to something more presentable. Which would also be better for SEO.

Thanks

jatar_k




msg:1314621
 4:11 pm on Jun 25, 2004 (gmt 0)

that would require this
An Introduction to Redirecting URLs on an Apache Server [webmasterworld.com]

that can get you started with mod_rewrite

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved