$_GET Vunrabilities

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

$_GET Vunrabilities

Post by iknownothing »

Hey Guys,

I have this code:

Code: Select all

$page = $_GET['page'];
	switch ($page)
{
	case 'about':
	$title = 'About Us';
	break;
	case 'contact':
	$title = 'Contact Us';
	break;
	case 'home':
	$title = 'Home';
	break;
	default:
	$page = 'about';
	$title = 'About Kel';
	break;
}
which is determined by:

Code: Select all

<a href="?page=about">
The server people are telling me that there is a security vulnerability somewhere within the $page variable, but I thought the above was acceptable (the above php file, is as far as $page variable goes, not used anywhere else). Can anyone shed some light on what they are talking about?
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Post by califdon »

Any time you accept a $_GET variable without examining it to see what it contains, you are opening your script and your database and your server and everything else to being hijacked by anyone and everyone. Since the data is passed as part of the URL, it makes it easy for someone to substitute their own data, which could include, for example, SQL statements. Use the Search function on this Forum and search for sql injection. Or use Google. Or see http://www.securiteam.com/securityrevie ... 1P76E.html
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: $_GET Vunrabilities

Post by Benjamin »

iknownothing wrote:The server people are telling me that there is a security vulnerability somewhere within the $page variable
There are no security issues with the code you posted. Are you using $_GET['page'] someplace else?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

astions is spot on. You are actually using a common security technique. You are comparing the potentially dangerous request data only to constants. And based on that comparison you are assigning the variables you will actually used with safe values. As long as you use $title and never use $_GET['page'] as astions says -- you will be all right. It is only if you want to use the value in $_GET['page'] with some subsystem such as a database or filesystem, or send it back to the browser that you will need to filter, validate and escape the values.
(#10850)
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Yeah I think it all depends on what you use $_GET for, and even $_POST for that matter.
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

Cool. So the above is fine? That is absolutely ALL I use $_GET['page'] for.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

iknownothing wrote:Cool. So the above is fine? That is absolutely ALL I use $_GET['page'] for.
Yes, it is. The problems come when you trust data.
Post Reply