Page 1 of 1

how secure is this file (technique)

Posted: Sat Sep 23, 2006 11:28 pm
by rami
i have this strategy to take data from a search box which is takes input and pass data to this page with get

Code: Select all

<?php 
		function cleanall() 
{
foreach($_GET as $key => $val) 
{
$_GET[$key] = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
$$key = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
}
}


		 echo "<div class=\"box_title_blue\">Following bbb has been found for this query</div>"	;	
$cb = ( isset($_GET['cb']) ) ? $_GET['cb'] : 0; // type it is strictly numeric ..from database 
$cb=(int) $cb;

// Default to 0 (all) if not set 
$exp = ( isset($_GET['exp']) ) ? trim($_GET['exp']) : 0; //experience  it is also strictly numeric
$exp=(int) $exp;
// Default to 0 if not set 
if ( !ctype_alnum($_GET ['jobt']))//it can be either 'a' for all or some number so i am trying to make this better but how can i do that 
{
echo "only A-Z a-z 0-9 are Allowed";
exit();
}
else
{
// Default to 0 if not set 
$jobt = ( isset($_GET['jobt']) ) ? $_GET['jobt'] : 0; //
}
// Default to 0 if not set 
if ( !ctype_alnum($_GET ['edu']))//'a' or some  number
{
echo "only A-Z a-z 0-9 are Allowed";
exit();
}
else
{
// Default to 0 if not set 
$edu = ( isset($_GET['edu']) ) ? $_GET['edu'] : 0; //qualification
}
$city = ( isset($_GET['city']) ) ? $_GET['city'] : 0; //city//will be alnumeric
$sal1 = ( isset($_GET['sal1']) ) ? $_GET['sal1'] : 0; // strictly number
$sal1=(int)$sal1;
  $sal2 = ( isset($_GET['sal2']) ) ? $_GET['sal2'] : 9999999; //numeric
	  $sal2=(int)$sal2;
	  cleanall();
  $trimmed = trim($var); //trim whitespace from the stored variable
require_once ('../../dbconnect.php');
			$query = "SELECT *  FROM table where category=$cb and salary>$sal1 and salary<$sal2 and 

experi>=$exp";
how secure is this code and from where can cracker crack this...specially sql injection but other as well
i am still updating it...but any security loop holes ?
can it be made better?
by the way well it take care of datatype and ' " and all but i can concerned about if some body pass command through get like

SHUTDOWN and all
how can i intregrate protection from that part in this code

i notice when i use GET and all values are seen in address bar it is much provoking user to change data and see the result so is it

good to use POST here
What can be disadvantages of doing so?

Posted: Sat Sep 23, 2006 11:49 pm
by toasty2
There arent really any disadvantages to using POST. I usually use GET for simple, unimportant data and POST for important or lots of data.

Posted: Sun Sep 24, 2006 12:27 am
by MrPotatoes
still gotta clean the post data.

that is one thing that i've got to learn how to do.. :(

Posted: Sun Sep 24, 2006 2:04 am
by Mordred
The difference between GET and POST is (or should be) no only in their mechanism, but also in their semantics.

Use GET in situations where no changes are made to a system (excluding trivialties like logging)
Use POST otherwise.

If you need to pass lots of data which still doesn't change the system, you can substitute GET with POST.
It is not advisable to do the opposite.

Imagine you have links like delete.php?id=123 in your page. It is wrong, because you've put POST semantics into GET mechanics. One day googlebot comes and clicks all your links, thus deleting all your entries. This has happened for real to at least one wiki system out there :) There are similar issues with human users with proxies, so don't feel "secure" about having wrong links only in your login protected pages.

Note that your query is immutable - so it's safe to use GET, even more, since it looks like a search it is strongly recommended to use GET, so the SERPs could be bookmarked.

Posted: Sun Sep 24, 2006 11:53 am
by rami
but how secure is this file or method i have used?

Posted: Thu Sep 28, 2006 8:33 pm
by printf
One the biggest thing I see, is people wasting time trying to make a variable safe! Any script should be governed by what it expects, by preprocessing a used SUPER GLOBAL, you spend less time, wasting time. Setting up a centralized generic SUPER GLOBAL handler that uses CASTING and cleaning based on the assign CAST TYPE, is so much better than doing all kinds of unneeded if() block testing.

me!