Welcome to WebmasterWorld Guest from 220.127.116.11
We use Apache/Linux/php.
Any help is greatly appreciated! I would like to have some hair left by this time next week.
opens a search page, where you show scuba gear. In the <head> of your page, you might have something like this:
and further down, a nice heading:
<title>Search results for <?php print($_GET['q']) ?></title>
<h1>Search results for <?php print($_GET['q']) ?></h1>
Now what if I were to request this URL?
the query, urldecoded, is this:
In addition to XSS, you may also need to be concerned about SQL injection. The two are different. XSS plants executable JS code on the client, whereas SQL injection tries to manipulate SQL operations on the server using ununsual user input. XSS and SQL injection are often mentioned together, since they're both easy to perpetrate by script kiddies [en.wikipedia.org], and often overlooked by beginner programmers.
For instance, take this URL:
as you'd expect, will get info about user #50.
A careless coder would do this:
$query = "SELECT * FROM users WHERE id=".$_GET['userid'];
What would this URL do?
nothing good, that's what!
Welcome aboard tazzy47!
One of the first things you do is quote everything in your selects. This is NOT a cure-all, it's one tool:
$select = "select * from table where id='$_GET['userid']';";
Yes, even numeric fields, although it's "implied" that quoting means you're searching on text, this is one way to start securing your selects. Many injections can be thwarted this way.
Second, as mentioned, is you should cleanse those GET vars and never put them directly in the selects.
Injection Wiki [en.wikipedia.org], and you'll find many more searching for SQL injection.
Again, thanks for all the help. I'm about to suggest we hire this fix out. Didn't get as far as php security in those 2 yrs of programming classes.
For instance, a URL like
is highly suspect. If I see one of those, the next thing I try is:
you should never do this:
<?php print($_GET['variable_name']); ?>
Sort of like this reply.
If WebmasterWorld didn't pasteurize all posts before rendering them on the page, I'd have your cookies, hijack your session and be reading your mail by now.
Not that I would actually do that.
It was just an example.