Page 1 of 1

$_GET Vunrabilities

Posted: Thu Aug 16, 2007 8:02 pm
by iknownothing
Hey Guys,

I have this code:

Code: Select all

$page = $_GET['page'];
	switch ($page)
{
	case 'about':
	$title = 'About Us';
	break;
	case 'contact':
	$title = 'Contact Us';
	break;
	case 'home':
	$title = 'Home';
	break;
	default:
	$page = 'about';
	$title = 'About Kel';
	break;
}
which is determined by:

Code: Select all

<a href="?page=about">
The server people are telling me that there is a security vulnerability somewhere within the $page variable, but I thought the above was acceptable (the above php file, is as far as $page variable goes, not used anywhere else). Can anyone shed some light on what they are talking about?

Posted: Thu Aug 16, 2007 8:59 pm
by califdon
Any time you accept a $_GET variable without examining it to see what it contains, you are opening your script and your database and your server and everything else to being hijacked by anyone and everyone. Since the data is passed as part of the URL, it makes it easy for someone to substitute their own data, which could include, for example, SQL statements. Use the Search function on this Forum and search for sql injection. Or use Google. Or see http://www.securiteam.com/securityrevie ... 1P76E.html

Re: $_GET Vunrabilities

Posted: Thu Aug 16, 2007 10:01 pm
by Benjamin
iknownothing wrote:The server people are telling me that there is a security vulnerability somewhere within the $page variable
There are no security issues with the code you posted. Are you using $_GET['page'] someplace else?

Posted: Thu Aug 16, 2007 10:54 pm
by Christopher
astions is spot on. You are actually using a common security technique. You are comparing the potentially dangerous request data only to constants. And based on that comparison you are assigning the variables you will actually used with safe values. As long as you use $title and never use $_GET['page'] as astions says -- you will be all right. It is only if you want to use the value in $_GET['page'] with some subsystem such as a database or filesystem, or send it back to the browser that you will need to filter, validate and escape the values.

Posted: Thu Aug 16, 2007 11:24 pm
by JellyFish
Yeah I think it all depends on what you use $_GET for, and even $_POST for that matter.

Posted: Fri Aug 17, 2007 12:07 am
by iknownothing
Cool. So the above is fine? That is absolutely ALL I use $_GET['page'] for.

Posted: Fri Aug 17, 2007 6:41 am
by superdezign
iknownothing wrote:Cool. So the above is fine? That is absolutely ALL I use $_GET['page'] for.
Yes, it is. The problems come when you trust data.