PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
The server people are telling me that there is a security vulnerability somewhere within the $page variable, but I thought the above was acceptable (the above php file, is as far as $page variable goes, not used anywhere else). Can anyone shed some light on what they are talking about?
Any time you accept a $_GET variable without examining it to see what it contains, you are opening your script and your database and your server and everything else to being hijacked by anyone and everyone. Since the data is passed as part of the URL, it makes it easy for someone to substitute their own data, which could include, for example, SQL statements. Use the Search function on this Forum and search for sql injection. Or use Google. Or see http://www.securiteam.com/securityrevie ... 1P76E.html
astions is spot on. You are actually using a common security technique. You are comparing the potentially dangerous request data only to constants. And based on that comparison you are assigning the variables you will actually used with safe values. As long as you use $title and never use $_GET['page'] as astions says -- you will be all right. It is only if you want to use the value in $_GET['page'] with some subsystem such as a database or filesystem, or send it back to the browser that you will need to filter, validate and escape the values.