input url sanitizing

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
netmastan
Forum Newbie
Posts: 1
Joined: Mon Apr 13, 2009 9:44 pm

input url sanitizing

Post by netmastan »

Hi Guys,

I've written my own simple CMS. I'm just curious about the security.
All my page request goes to a controller called index.php. index.php check if the requested url is exist in the database
if so then either include the page or fetch the content from the database. I'm just worried about sanitizing my GET varaible.
is this code addslashes(htmlentities($_GET["rt"])) is good enough for sanitizing?


//.htaccess
RewriteEngine on

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule !^(css|images|files)/ index.php [NC,L]
RewriteRule ^(.*)$ index.php?rt=$1 [L,QSA]


<?Php
//http://wwww.mysite.com/aboutus/php-developer
$page=addslashes(htmlentities($_GET["rt"]));
$result=$db->query("SELECT * FROM ".PREFIX."_page WHERE page_url_alias='$page');
$page=$db->fetch_array($result);
if($db->num_rows($result)==1){

// check if the page uses a php file
if(!empty($page[page_file])){
file_exists($page[page_file])?include("$page[page_file]"):die("Sorry, page file doesn't exist");

}else{
$tpl=new Template();
$tpl->assign("content",$page);
$tpl->display("page.tpl");

}

}

}
?>
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: input url sanitizing

Post by kaisellgren »

addslashes() is not meant to protect you from SQL injections. Use the RDBMS specific escaping function for that purpose.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: input url sanitizing

Post by Mordred »

There is no such thing as general "sanitizing".
One "sanitizes" against a certain function, and uses the "clean" data only for that function.
If you only have such a catch-all solution, I can guarantee you you have problems.
Post Reply