473,326 Members | 2,023 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

PHP security question

Below is a line of PHP code I'm using that is making me nervous. I want
to ask what I can do in the target PHP file (details.php) to make sure
nothing evil is done to me, Below I cite the one line in question:

$d_content_cut = $d_content.'...<a STYLE="color:goldenrod;
border-bottom: 2px solid;"
href=details.php?id='.$pg_id.'&Type_view=detail&Ty pe_Submit='.$Type_Submit.'&key_word='.urlencode($h ighlight).'>more</a>';

Here's more info,
- $d_content_cut appears in a html table as some text with a link tagged
on at the end of this text (as you can see). Click the link and you'll
see more detail on that particular item on a new page called details.php.

- I'm doing a "GET".

- id='.$pg_id This is the primary key for the MYSQL DB item. It's an
integer and I put it in a SELECT statement with mysql_query to get the
record I need to show.

- &Type_view=detail&Type_Submit='.$Type_Submit These are data I need
to properly process the detail page. I hard code "detail" cause I know
if I am doing a GET from this stage in my code it's gotta be "detail",
The var $Type_Submit can be one of four (4) strings - so at least I know
if it's not one of those 4 it's bogus.

- '&key_word='.urlencode($highlight).'>more</a>'; $highlight could be
anything because it's what the user entered as search keywords. Yes, I
escaped it when I did searched in MYSQL, but in a GET a user could
change it, couldn't they(?). I need to pass it along in the GET.

So what could I esp. in details.php where I process this GET, to make
sure evil is not done to me?

Thanks sincerely.
Jul 17 '05 #1
1 1665
Hal Halloway wrote:
Below is a line of PHP code I'm using that is making me nervous. I want
to ask what I can do in the target PHP file (details.php) to make sure
nothing evil is done to me, Below I cite the one line in question:

$d_content_cut = $d_content.'...<a STYLE="color:goldenrod;
border-bottom: 2px solid;"
href=details.php?id='.$pg_id.'&Type_view=detail&Ty pe_Submit='.$Type_Submit.'&key_word='.urlencode($h ighlight).'>more</a>';
Here's more info,
- $d_content_cut appears in a html table as some text with a link tagged
on at the end of this text (as you can see). Click the link and you'll
see more detail on that particular item on a new page called details.php.

- I'm doing a "GET".

- id='.$pg_id This is the primary key for the MYSQL DB item. It's an
integer and I put it in a SELECT statement with mysql_query to get the
record I need to show.

- &Type_view=detail&Type_Submit='.$Type_Submit These are data I need
to properly process the detail page. I hard code "detail" cause I know
if I am doing a GET from this stage in my code it's gotta be "detail",
The var $Type_Submit can be one of four (4) strings - so at least I know
if it's not one of those 4 it's bogus.

- '&key_word='.urlencode($highlight).'>more</a>'; $highlight could be
anything because it's what the user entered as search keywords. Yes, I
escaped it when I did searched in MYSQL, but in a GET a user could
change it, couldn't they(?). I need to pass it along in the GET.

So what could I esp. in details.php where I process this GET, to make
sure evil is not done to me?

Thanks sincerely.

In general,you may want to take a look at mod_security
(http://www.modsecurity.org) that allows fltering a lot of things using
regex at http level, and for this specific case there are functions
available like striptags(), stripslashes(), stripcslashes() etcetera.
Additionally you may want to use your own str_replace() functions.

I have in the past used a homebread function that just stripped anything
other than alphanumerical chars and _ , but that may be too rigorous in
your case. Using regex you can make almost any filter you can dream of.

GL
Schraalhans
Jul 17 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

116
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data...
32
by: Mike MacSween | last post by:
Further to 'Security - more complex than I thought' Has anybody ever seen any studies? Or anecdotal evidence? Done any studies themselves? Done any lab testing - you know - 10 users asked to get...
5
by: Greg Strong | last post by:
Hello All, What are the best ways to implement security for Access databases (i.e. ..MDB files)? I ask the question from a general perspective. Why? Well I had written a prototype database...
1
by: Jeremy S. | last post by:
..NET's code Access Security enables administrators to restrict the types of things that a .NET application can do on a local computer. For example, a ..NET Windows Forms application can be...
15
by: himilecyclist | last post by:
My State government organization has written a PHP/MySQL application which has been in production for about 6 months and has been highly successful. We are now embarking on a similar database...
0
by: jobs | last post by:
Using the delivered login controls, I see there is something for passwordrecovery. But I can't seem to find how to set properties so it does not ask me for my security question. Is there any way...
18
by: Earl Anderson | last post by:
First, I feel somewhat embarrassed and apologetic that this post is lengthy, but in an effort to furnish sufficient information (as opposed to too little information) to you, I wanted to supply all...
4
by: vincent90152900 | last post by:
How to remove Security Question and Security Answer from membership provider? Following is my codes. Please tell me how to remove Question and Answer from membership provider. Thank you for...
1
by: =?Utf-8?B?aGVyYmVydA==?= | last post by:
Question 1: How do I turn off WCF security to get my apps out the door quickly? Question 2: Where can I find a step by step article/flowchart how to configure WCF security (the WCF books miss this...
2
by: Ken Fine | last post by:
I want to add the security question and answer security feature to the ChangePassword control. I am aware that this functionality is built into the PasswordRecovery tool. I have implemented the...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.