Welcome to WebmasterWorld Guest from 54.144.68.27

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP Variable Verification

Making My Site More Secure

     

wfernley

6:05 pm on Jun 24, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi everyone.

It has been a while since I have been on these forums, it feels good to be back :)

Currently I am working for a company and I have their site up and running. I do have a major security issue though that I need to resolve immediatly.

The problem I am having is I have no verification of variables sent from page to page. For example if someone clicks on a link which leads to a product category the addressbar reads details.php?catid=5. Now if they were to go and change the address bar to details.php?catid=5;drop database DBNAME; then that would pose a big security risk for me.

I don't know much on this subject so I need some help on how I could make sure this security risk can be resolved. Another thing which I might as well ask is...... I hear having less php code in the address bar and more of a description of what you are offering is good for search engines. Basically instead of having products.php?product_id=5 having products/networking/linksysrouter/ is best for SEO.

I plan on changing my site to scrap the PHP code, but what I'm wondering is if it would be best to just do it now, while I am doing the changes for the variable verification.

Thanks everyone for your help on this matter :)

Wes

m_shroom

3:45 am on Jun 25, 2004 (gmt 0)

10+ Year Member



You should work with Globals=off in your php config file.
Then no user (hacker) variables are passed directly to your script.

You must ask for each one you want with ($action=$HTTP_GET_VARS["action"];)

Netizen

1:43 pm on Jun 25, 2004 (gmt 0)

10+ Year Member



Turninf globals off wouldn't help in this instance. You need to check that the value of the parameter passed is indeed what you expect. In this case you are expecting a number so you can do

if (is_int($_GET['id'])) {
$id=$_GET['id'];
} else {
$id=1;
}

which would default all random stuff to id 1. If you want to be slightly fuzzier you could do something like

$id=preg_replace("/[^0-9]/",$_GET['id']);

if (empty($id)) {
$id=1;
}

which has the same affect but will also convert "5; drop table blah" into 5.

Hope that helps.

wfernley

2:29 pm on Jun 25, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



OK Great thanks for your posts :)

I do have register globals off and I don't plan on turning it on.

What about converting the address bar php code to something more presentable. Which would also be better for SEO.

Thanks

jatar_k

4:11 pm on Jun 25, 2004 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



that would require this
An Introduction to Redirecting URLs on an Apache Server [webmasterworld.com]

that can get you started with mod_rewrite

 

Featured Threads

Hot Threads This Week

Hot Threads This Month