Welcome to WebmasterWorld Guest from 54.146.5.196

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP Variable Verification

Making My Site More Secure

     
6:05 pm on Jun 24, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 25, 2003
posts:664
votes: 0


Hi everyone.

It has been a while since I have been on these forums, it feels good to be back :)

Currently I am working for a company and I have their site up and running. I do have a major security issue though that I need to resolve immediatly.

The problem I am having is I have no verification of variables sent from page to page. For example if someone clicks on a link which leads to a product category the addressbar reads details.php?catid=5. Now if they were to go and change the address bar to details.php?catid=5;drop database DBNAME; then that would pose a big security risk for me.

I don't know much on this subject so I need some help on how I could make sure this security risk can be resolved. Another thing which I might as well ask is...... I hear having less php code in the address bar and more of a description of what you are offering is good for search engines. Basically instead of having products.php?product_id=5 having products/networking/linksysrouter/ is best for SEO.

I plan on changing my site to scrap the PHP code, but what I'm wondering is if it would be best to just do it now, while I am doing the changes for the variable verification.

Thanks everyone for your help on this matter :)

Wes

3:45 am on June 25, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:June 3, 2004
posts:55
votes: 0


You should work with Globals=off in your php config file.
Then no user (hacker) variables are passed directly to your script.

You must ask for each one you want with ($action=$HTTP_GET_VARS["action"];)

1:43 pm on June 25, 2004 (gmt 0)

Full Member

10+ Year Member

joined:May 29, 2003
posts:273
votes: 0


Turninf globals off wouldn't help in this instance. You need to check that the value of the parameter passed is indeed what you expect. In this case you are expecting a number so you can do

if (is_int($_GET['id'])) {
$id=$_GET['id'];
} else {
$id=1;
}

which would default all random stuff to id 1. If you want to be slightly fuzzier you could do something like

$id=preg_replace("/[^0-9]/",$_GET['id']);

if (empty($id)) {
$id=1;
}

which has the same affect but will also convert "5; drop table blah" into 5.

Hope that helps.

2:29 pm on June 25, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 25, 2003
posts:664
votes: 0


OK Great thanks for your posts :)

I do have register globals off and I don't plan on turning it on.

What about converting the address bar php code to something more presentable. Which would also be better for SEO.

Thanks

4:11 pm on June 25, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 24, 2001
posts:15756
votes: 0


that would require this
An Introduction to Redirecting URLs on an Apache Server [webmasterworld.com]

that can get you started with mod_rewrite

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members