Page 1 of 1

input url sanitizing

Posted: Mon Apr 13, 2009 11:11 pm
by netmastan
Hi Guys,

I've written my own simple CMS. I'm just curious about the security.
All my page request goes to a controller called index.php. index.php check if the requested url is exist in the database
if so then either include the page or fetch the content from the database. I'm just worried about sanitizing my GET varaible.
is this code addslashes(htmlentities($_GET["rt"])) is good enough for sanitizing?


//.htaccess
RewriteEngine on

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule !^(css|images|files)/ index.php [NC,L]
RewriteRule ^(.*)$ index.php?rt=$1 [L,QSA]


<?Php
//http://wwww.mysite.com/aboutus/php-developer
$page=addslashes(htmlentities($_GET["rt"]));
$result=$db->query("SELECT * FROM ".PREFIX."_page WHERE page_url_alias='$page');
$page=$db->fetch_array($result);
if($db->num_rows($result)==1){

// check if the page uses a php file
if(!empty($page[page_file])){
file_exists($page[page_file])?include("$page[page_file]"):die("Sorry, page file doesn't exist");

}else{
$tpl=new Template();
$tpl->assign("content",$page);
$tpl->display("page.tpl");

}

}

}
?>

Re: input url sanitizing

Posted: Thu Apr 16, 2009 6:12 pm
by kaisellgren
addslashes() is not meant to protect you from SQL injections. Use the RDBMS specific escaping function for that purpose.

Re: input url sanitizing

Posted: Fri Apr 17, 2009 9:30 am
by Mordred
There is no such thing as general "sanitizing".
One "sanitizes" against a certain function, and uses the "clean" data only for that function.
If you only have such a catch-all solution, I can guarantee you you have problems.