Page 1 of 1

query string security...

Posted: Mon Aug 02, 2010 1:25 pm
by raccer
Hello to all the awesome contributors on devnetwork!
I've been lurking since yesterday and have a basic question:

If I have a file (confirm.php) where query strings are processed to verify an email address, and I want to parse and process the request, is there a security risk with reading this exterior data (query string) into a variable for screening?

I understand the precaution with the variable containing this unfiltered data, and would only use it for comparison to known good data, but I want to ensure; could any evil happen simply from feeding the query string into parse_str() ?

Thanks for any enlightenment!

Re: query string security...

Posted: Mon Aug 02, 2010 1:50 pm
by AbraCadaver
The same evil that can be done with register_globals enabled can be done when using parse_str(), except that you control when the variables are registered and can do so in a safe manner. Take for example:

Code: Select all

$admin = $_SESSION['admin'];

parse_str($_SERVER['QUERY_STRING']);

//some code

if($admin) {
   //some restricted stuff
}
Then confirm.php?var=val&var2=val2&admin=1 would overwrite the $admin variable and give access to the restricted code.

I prefer just to always use $_GET['varname'].

Re: query string security...

Posted: Mon Aug 02, 2010 2:03 pm
by raccer
Thanks for the guidance AbraCadaver,

So if I understand you correctly, no danger exists from parsing external content into variables, it's only what the variables are then used for that would pose a risk.

In example, would this code be a safe way to parse a query string?

Code: Select all



$example_query_string_unhashed_unencoded = 'email_address=thisguy@gmail.com&time_registered=1234567890&another_key=another_value'


$input = array();
parse_str($_SERVER["QUERY_STRING"], &$input);

foreach($input as $hashed_key => $hashed_value) {

	switch($hashed_key) {
		
		case $hashed_key_for_case_1:
			if($hashed_value === $known_good_data) do_something();
			break;
			
		case $hashed_key_for_case_2:
			if($hashed_value === $known_good_data) do_something();
			break;

		case $hashed_key_for_case_3:
			if($hashed_value === $known_good_data) do_something();
			break;

	}
}

Re: query string security...

Posted: Mon Aug 02, 2010 2:22 pm
by AbraCadaver
The way you're doing it is safer because you're extracting them into an array instead of into the scope of the script. I don't really see what you're doing beyond that, but it is the same as this, and doesn't require parse_str():

Code: Select all

foreach($_GET as $hashed_key => $hashed_value) {

Re: query string security...

Posted: Mon Aug 02, 2010 2:31 pm
by raccer
Cool, Thanks again!

Re: query string security...

Posted: Mon Aug 02, 2010 6:00 pm
by jraede
Is there an advantage to using $_SERVER['QUERY_STRING'] over $_GET? Or is there a reason why you're doing it like that? Just curious...

Re: query string security...

Posted: Mon Aug 02, 2010 6:17 pm
by raccer
Hehehe,

Uh, yeah, I didn't know about $_GET... I'm now using it instead because it returns a simpler/smaller result.
I have only a single PHP/MySQL class under my belt, and although I've learned a lot, I have a lot to learn!