Hello to all the awesome contributors on devnetwork!
I've been lurking since yesterday and have a basic question:
If I have a file (confirm.php) where query strings are processed to verify an email address, and I want to parse and process the request, is there a security risk with reading this exterior data (query string) into a variable for screening?
I understand the precaution with the variable containing this unfiltered data, and would only use it for comparison to known good data, but I want to ensure; could any evil happen simply from feeding the query string into parse_str() ?
Thanks for any enlightenment!
query string security...
Moderator: General Moderators
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: query string security...
The same evil that can be done with register_globals enabled can be done when using parse_str(), except that you control when the variables are registered and can do so in a safe manner. Take for example:
Then confirm.php?var=val&var2=val2&admin=1 would overwrite the $admin variable and give access to the restricted code.
I prefer just to always use $_GET['varname'].
Code: Select all
$admin = $_SESSION['admin'];
parse_str($_SERVER['QUERY_STRING']);
//some code
if($admin) {
//some restricted stuff
}I prefer just to always use $_GET['varname'].
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Re: query string security...
Thanks for the guidance AbraCadaver,
So if I understand you correctly, no danger exists from parsing external content into variables, it's only what the variables are then used for that would pose a risk.
In example, would this code be a safe way to parse a query string?
So if I understand you correctly, no danger exists from parsing external content into variables, it's only what the variables are then used for that would pose a risk.
In example, would this code be a safe way to parse a query string?
Code: Select all
$example_query_string_unhashed_unencoded = 'email_address=thisguy@gmail.com&time_registered=1234567890&another_key=another_value'
$input = array();
parse_str($_SERVER["QUERY_STRING"], &$input);
foreach($input as $hashed_key => $hashed_value) {
switch($hashed_key) {
case $hashed_key_for_case_1:
if($hashed_value === $known_good_data) do_something();
break;
case $hashed_key_for_case_2:
if($hashed_value === $known_good_data) do_something();
break;
case $hashed_key_for_case_3:
if($hashed_value === $known_good_data) do_something();
break;
}
}
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: query string security...
The way you're doing it is safer because you're extracting them into an array instead of into the scope of the script. I don't really see what you're doing beyond that, but it is the same as this, and doesn't require parse_str():
Code: Select all
foreach($_GET as $hashed_key => $hashed_value) {mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Re: query string security...
Cool, Thanks again!
Re: query string security...
Is there an advantage to using $_SERVER['QUERY_STRING'] over $_GET? Or is there a reason why you're doing it like that? Just curious...
Re: query string security...
Hehehe,
Uh, yeah, I didn't know about $_GET... I'm now using it instead because it returns a simpler/smaller result.
I have only a single PHP/MySQL class under my belt, and although I've learned a lot, I have a lot to learn!
Uh, yeah, I didn't know about $_GET... I'm now using it instead because it returns a simpler/smaller result.
I have only a single PHP/MySQL class under my belt, and although I've learned a lot, I have a lot to learn!