Security

Forum Moderators: coopster

Message Too Old, No Replies

Security

jspeed

10:17 pm on Dec 17, 2010 (gmt 0)

This is more a question of logic than anything. I am wanting to make sure I am handling this in a secure way.

When the user clicks a link it passes the year in the URL. (e.g. page.php?year=2010) It uses that year to query the database table "year" column and then display that rows information.

I am securing it like so:
I load that tables year column into an array, and make sure the year in the url exists in the table. If it doesn't, then it throws a not found error, if it does find the year to be in the array, it then continues and displays the data.

Is there a better/more secure way of handling this, or is this sufficient?

milocold

10:32 pm on Dec 17, 2010 (gmt 0)

Hi,

You might wanna check the data coming from the URL with a preg_match to help prevent a SQL injection attack.


 if( preg_match( '/^[0-9]{4}$/', '1969' ) ){
 echo 'good';
 } else {
 echo 'bad';
 }

M.Cold

jspeed

10:55 pm on Dec 17, 2010 (gmt 0)

Thanks, I have implemented this with the checking the array:

if ( isset ($year) && !in_array( $year, $acceptable_years ) && !preg_match( '/^[0-9]{4}$/', $year ))
{
// throw error
}

else
{
// continue script
}

milocold

11:00 pm on Dec 17, 2010 (gmt 0)

Come to think about it, is_numeric() might be faster than preg. I dunno, I haven't done any testing on that. =^)

M.Cold

Security

jspeed

milocold

jspeed

milocold

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week