Any security issue with $_GET like this?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
someguyhere
Forum Contributor
Posts: 181
Joined: Sun Jul 27, 2008 3:24 pm

Any security issue with $_GET like this?

Post by someguyhere »

I know that $_GET has potential security issues - are there any with this utilization of it? If so, what do I need to fix/change?

Code: Select all

	if (!empty($_GET['network_category'])){
	
		$network_members = $wpdb->get_results("SELECT * FROM wp_network_members WHERE category = '$_GET[network_category]' ORDER BY network_id ASC");

		foreach ($network_members as $member) {
			$list_members .= '<li><a href="/' . strtolower($member->f_name) . '-' . strtolower($member->l_name) . '-' . strtolower($member->company_name) . '">' . $member->company_name . ", " . $member->f_name . " " . $member->l_name . '</a></li>';
		}

	echo $list_members;

	}
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Any security issue with $_GET like this?

Post by Mordred »

There is nothing inherently wrong with $_GET, and almost no attacks can be done with $_GET but not with $_POST.

What you need to do is run anything you want to put in a query through the mysql_real_escape_string() function. More elaborate details - in the article in my signature.

Code: Select all

$category = mysql_real_escape_string($_GET['network_category']);
$network_members = $wpdb->get_results("SELECT * FROM wp_network_members WHERE category = '$category' ORDER BY network_id ASC");
someguyhere
Forum Contributor
Posts: 181
Joined: Sun Jul 27, 2008 3:24 pm

Re: Any security issue with $_GET like this?

Post by someguyhere »

In this case, the $_GET values come from links previously generated by php, but my concern was whether they could append something to the end of the url thus changing the $_GET values to do something malicious. My understanding from your post is that I don't need to worry about that?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Any security issue with $_GET like this?

Post by Mordred »

On the contrary. You do need to worry about malicious input appearing in $_GET. What I meant is that there is no difference between $_GET, $_POST, $_COOKIE and $_FILES - all can contain malicious input and you have to deal with it. That's what the various escaping functions are for.
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: Any security issue with $_GET like this?

Post by cpetercarter »

As well as 'escaping' $_GET values before putting them in the DB query, you can (in some cases at least) check them against a whitelist. If there is a finite list of possible values in the 'category' field in the DB table, you could check that $_GET['network_category'] contains one of these values, and unset it if it does not.
someguyhere
Forum Contributor
Posts: 181
Joined: Sun Jul 27, 2008 3:24 pm

Re: Any security issue with $_GET like this?

Post by someguyhere »

Should I use both approaches or would that be overkill?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Any security issue with $_GET like this?

Post by Mordred »

Both, but it is important to understand the purpose of both validation and escaping.

Validation means checking if the values are logically valid, if you expect a number but you get a string, or an array, or a number that is negative, or too high... etc. This is the domain of your "business logic". You and your application's needs dictate what is a "valid" data.

Escaping is making sure values are values and not interpreted as other syntax elements in SQL, HTML, etc.

As such, validation is not a part of your security code, it's part of your application logic. It prevents bugs, not security exploits.

<rant>
Actually, my "unique theorizer" position :D mandates me to say that escaping can be viewed in the same way, not a security measure, but simply bug prevention. I abhor all bugs, and as such I am entitled to that view :twisted: On the other hand, security bugs can be way more severe than "regular" bugs, so it's healthy to draw a line between normal bugs and security bugs and say to yourself "I may ship a buggy software, but at least they won't be security bugs".
</rant>
someguyhere
Forum Contributor
Posts: 181
Joined: Sun Jul 27, 2008 3:24 pm

Re: Any security issue with $_GET like this?

Post by someguyhere »

Ok...I'm in the process of fixing the code with the recommendations you all made here.

Thanks!
Post Reply