Home > Archive > PHP Language > February 2005 > PHP security question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
PHP security question
|
|
| Hal Halloway 2005-01-15, 3:56 am |
| Below is a line of PHP code I'm using that is making me nervous. I want
to ask what I can do in the target PHP file (details.php) to make sure
nothing evil is done to me, Below I cite the one line in question:
$d_content_cut = $d_content.'...<a STYLE="color:goldenrod;
border-bottom: 2px solid;"
href=details.php?id='.$pg_id.'&Type_view=detail&Type_Submit='.$Type_Submit.'&key_word='.urlencode($highlight).'>more</a>';
Here's more info,
- $d_content_cut appears in a html table as some text with a link tagged
on at the end of this text (as you can see). Click the link and you'll
see more detail on that particular item on a new page called details.php.
- I'm doing a "GET".
- id='.$pg_id This is the primary key for the MYSQL DB item. It's an
integer and I put it in a SELECT statement with mysql_query to get the
record I need to show.
- &Type_view=detail&Type_Submit='.$Type_Submit These are data I need
to properly process the detail page. I hard code "detail" cause I know
if I am doing a GET from this stage in my code it's gotta be "detail",
The var $Type_Submit can be one of four (4) strings - so at least I know
if it's not one of those 4 it's bogus.
- '&key_word='.urlencode($highlight).'>more</a>'; $highlight could be
anything because it's what the user entered as search keywords. Yes, I
escaped it when I did searched in MYSQL, but in a GET a user could
change it, couldn't they(?). I need to pass it along in the GET.
So what could I esp. in details.php where I process this GET, to make
sure evil is not done to me?
Thanks sincerely.
| |
| NoHeadRequired 2005-01-15, 3:56 am |
| "Hal Halloway" <Halloway@nospam.net> wrote in message
news:UwdEd.1318$C.517@trnddc05...
| Below is a line of PHP code I'm using that is making me nervous. I want
| to ask what I can do in the target PHP file (details.php) to make sure
| nothing evil is done to me, Below I cite the one line in question:
|
| $d_content_cut = $d_content.'...<a STYLE="color:goldenrod;
| border-bottom: 2px solid;"
|
href=details.php?id='.$pg_id.'&Type_view=detail&Type_Submit='.$Type_Submit.'
&key_word='.urlencode($highlight).'>more</a>';
|
<snip>
| So what could I esp. in details.php where I process this GET, to make
| sure evil is not done to me?
|
You could pass all the variables using sessions?
D.
| |
|
| rather than use parsing the variables through the URL and
using GET i usually embed the variables in a form and use POST to retrieve
them.
also use mysql_real_escape_string(); to prevent sql injection.
"Hal Halloway" <Halloway@nospam.net> wrote in message
news:UwdEd.1318$C.517@trnddc05...
> Below is a line of PHP code I'm using that is making me nervous. I want to
> ask what I can do in the target PHP file (details.php) to make sure
> nothing evil is done to me, Below I cite the one line in question:
>
> $d_content_cut = $d_content.'...<a STYLE="color:goldenrod; border-bottom:
> 2px solid;"
> href=details.php?id='.$pg_id.'&Type_view=detail&Type_Submit='.$Type_Submit.'&key_word='.urlencode($highlight).'>more</a>';
>
> Here's more info,
> - $d_content_cut appears in a html table as some text with a link tagged
> on at the end of this text (as you can see). Click the link and you'll see
> more detail on that particular item on a new page called details.php.
>
> - I'm doing a "GET".
>
> - id='.$pg_id This is the primary key for the MYSQL DB item. It's an
> integer and I put it in a SELECT statement with mysql_query to get the
> record I need to show.
>
> - &Type_view=detail&Type_Submit='.$Type_Submit These are data I need to
> properly process the detail page. I hard code "detail" cause I know if I
> am doing a GET from this stage in my code it's gotta be "detail", The var
> $Type_Submit can be one of four (4) strings - so at least I know if it's
> not one of those 4 it's bogus.
>
> - '&key_word='.urlencode($highlight).'>more</a>'; $highlight could be
> anything because it's what the user entered as search keywords. Yes, I
> escaped it when I did searched in MYSQL, but in a GET a user could change
> it, couldn't they(?). I need to pass it along in the GET.
>
> So what could I esp. in details.php where I process this GET, to make sure
> evil is not done to me?
>
> Thanks sincerely.
>
|
|
|
|
|