By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,101 Members | 1,360 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,101 IT Pros & Developers. It's quick & easy.

PHP security question

P: n/a
Below is a line of PHP code I'm using that is making me nervous. I want
to ask what I can do in the target PHP file (details.php) to make sure
nothing evil is done to me, Below I cite the one line in question:

$d_content_cut = $d_content.'...<a STYLE="color:goldenrod;
border-bottom: 2px solid;"
href=details.php?id='.$pg_id.'&Type_view=detail&Ty pe_Submit='.$Type_Submit.'&key_word='.urlencode($h ighlight).'>more</a>';

Here's more info,
- $d_content_cut appears in a html table as some text with a link tagged
on at the end of this text (as you can see). Click the link and you'll
see more detail on that particular item on a new page called details.php.

- I'm doing a "GET".

- id='.$pg_id This is the primary key for the MYSQL DB item. It's an
integer and I put it in a SELECT statement with mysql_query to get the
record I need to show.

- &Type_view=detail&Type_Submit='.$Type_Submit These are data I need
to properly process the detail page. I hard code "detail" cause I know
if I am doing a GET from this stage in my code it's gotta be "detail",
The var $Type_Submit can be one of four (4) strings - so at least I know
if it's not one of those 4 it's bogus.

- '&key_word='.urlencode($highlight).'>more</a>'; $highlight could be
anything because it's what the user entered as search keywords. Yes, I
escaped it when I did searched in MYSQL, but in a GET a user could
change it, couldn't they(?). I need to pass it along in the GET.

So what could I esp. in details.php where I process this GET, to make
sure evil is not done to me?

Thanks sincerely.
Jul 17 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
Hal Halloway wrote:
Below is a line of PHP code I'm using that is making me nervous. I want
to ask what I can do in the target PHP file (details.php) to make sure
nothing evil is done to me, Below I cite the one line in question:

$d_content_cut = $d_content.'...<a STYLE="color:goldenrod;
border-bottom: 2px solid;"
href=details.php?id='.$pg_id.'&Type_view=detail&Ty pe_Submit='.$Type_Submit.'&key_word='.urlencode($h ighlight).'>more</a>';
Here's more info,
- $d_content_cut appears in a html table as some text with a link tagged
on at the end of this text (as you can see). Click the link and you'll
see more detail on that particular item on a new page called details.php.

- I'm doing a "GET".

- id='.$pg_id This is the primary key for the MYSQL DB item. It's an
integer and I put it in a SELECT statement with mysql_query to get the
record I need to show.

- &Type_view=detail&Type_Submit='.$Type_Submit These are data I need
to properly process the detail page. I hard code "detail" cause I know
if I am doing a GET from this stage in my code it's gotta be "detail",
The var $Type_Submit can be one of four (4) strings - so at least I know
if it's not one of those 4 it's bogus.

- '&key_word='.urlencode($highlight).'>more</a>'; $highlight could be
anything because it's what the user entered as search keywords. Yes, I
escaped it when I did searched in MYSQL, but in a GET a user could
change it, couldn't they(?). I need to pass it along in the GET.

So what could I esp. in details.php where I process this GET, to make
sure evil is not done to me?

Thanks sincerely.

In general,you may want to take a look at mod_security
(http://www.modsecurity.org) that allows fltering a lot of things using
regex at http level, and for this specific case there are functions
available like striptags(), stripslashes(), stripcslashes() etcetera.
Additionally you may want to use your own str_replace() functions.

I have in the past used a homebread function that just stripped anything
other than alphanumerical chars and _ , but that may be too rigorous in
your case. Using regex you can make almost any filter you can dream of.

GL
Schraalhans
Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.