query string security...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
raccer
Forum Newbie
Posts: 11
Joined: Mon Aug 02, 2010 12:22 pm

query string security...

Post by raccer »

Hello to all the awesome contributors on devnetwork!
I've been lurking since yesterday and have a basic question:

If I have a file (confirm.php) where query strings are processed to verify an email address, and I want to parse and process the request, is there a security risk with reading this exterior data (query string) into a variable for screening?

I understand the precaution with the variable containing this unfiltered data, and would only use it for comparison to known good data, but I want to ensure; could any evil happen simply from feeding the query string into parse_str() ?

Thanks for any enlightenment!
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: query string security...

Post by AbraCadaver »

The same evil that can be done with register_globals enabled can be done when using parse_str(), except that you control when the variables are registered and can do so in a safe manner. Take for example:

Code: Select all

$admin = $_SESSION['admin'];

parse_str($_SERVER['QUERY_STRING']);

//some code

if($admin) {
   //some restricted stuff
}
Then confirm.php?var=val&var2=val2&admin=1 would overwrite the $admin variable and give access to the restricted code.

I prefer just to always use $_GET['varname'].
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
raccer
Forum Newbie
Posts: 11
Joined: Mon Aug 02, 2010 12:22 pm

Re: query string security...

Post by raccer »

Thanks for the guidance AbraCadaver,

So if I understand you correctly, no danger exists from parsing external content into variables, it's only what the variables are then used for that would pose a risk.

In example, would this code be a safe way to parse a query string?

Code: Select all



$example_query_string_unhashed_unencoded = 'email_address=thisguy@gmail.com&time_registered=1234567890&another_key=another_value'


$input = array();
parse_str($_SERVER["QUERY_STRING"], &$input);

foreach($input as $hashed_key => $hashed_value) {

	switch($hashed_key) {
		
		case $hashed_key_for_case_1:
			if($hashed_value === $known_good_data) do_something();
			break;
			
		case $hashed_key_for_case_2:
			if($hashed_value === $known_good_data) do_something();
			break;

		case $hashed_key_for_case_3:
			if($hashed_value === $known_good_data) do_something();
			break;

	}
}
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: query string security...

Post by AbraCadaver »

The way you're doing it is safer because you're extracting them into an array instead of into the scope of the script. I don't really see what you're doing beyond that, but it is the same as this, and doesn't require parse_str():

Code: Select all

foreach($_GET as $hashed_key => $hashed_value) {
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
raccer
Forum Newbie
Posts: 11
Joined: Mon Aug 02, 2010 12:22 pm

Re: query string security...

Post by raccer »

Cool, Thanks again!
jraede
Forum Contributor
Posts: 254
Joined: Tue Feb 16, 2010 5:39 pm

Re: query string security...

Post by jraede »

Is there an advantage to using $_SERVER['QUERY_STRING'] over $_GET? Or is there a reason why you're doing it like that? Just curious...
raccer
Forum Newbie
Posts: 11
Joined: Mon Aug 02, 2010 12:22 pm

Re: query string security...

Post by raccer »

Hehehe,

Uh, yeah, I didn't know about $_GET... I'm now using it instead because it returns a simpler/smaller result.
I have only a single PHP/MySQL class under my belt, and although I've learned a lot, I have a lot to learn!
Post Reply