Yes, very true. When dealing with externally provided data in your
script, always assume first that data is tainted, and make sure it
isn't before you try to do anything with it. Follow Richard & Greg's
advice on checking your data. You could also use some kind of
priveleged authentication thing, if the page you are using doesn't
have to be publicly accessible. But, ALWAYS check data before sending
it to the DB.
On Mon, 3 Jan 2005 08:58:15 -0800 (PST), Richard Lynch <ceo@xxxxxxxxx> wrote:
> Pablo D Marotta wrote:
> > Hi there..
> > I need to pass variables to a page through an html link.
> > I do it like this:
> >
> > <A href="Extra/excelListing3.php?buildQuery=<?php echo $buildQuery
> > ?>">Export</A>
> >
> > where 'buildQuery' is the variable I´m passing.
> >
> > In the destination page, I capture it with $_GET and that´s it.
> >
> > I want to know if there is any way of doing it without showing the
> > variables in
> > the direction bar.
>
> You could convert that to a POST quite easily:
> <FORM ACTION="Extra/excelListing3.php" METHOD="POST">
> <INPUT TYPE="HIDDEN" NAME="buildQuery" VALUE="<?php echo $buildQuery?>">
> <INPUT TYPE="SUBMIT" VALUE="Export">
> </FORM>
>
> NOTES:
> This is only nominally "more secure" than the GET argument version.
> Anybody with half a clue (okay a tenth of a clue) can use "View Source" in
> their browser to see your query.
>
> DEFINITELY follow Greg's advice and pass in *ONLY* the variables to your
> query, and go even further and check what comes in to be sure it "looks
> like" what you expect. For example, if you expect an integer, type-cast
> the value you get to an integer. If it should be positive, check that it
> *IS* positive. If there are only a limited number of valid values for a
> given input, make sure it fits.
>
> Examples:
> <?php
> //A MySQL record id: (positive integer)
> $record_id = (int) isset($_POST['record_id']) ? $_POST['record_id'] : NULL;
> if (!$record_id || $record_id < 1){
> //Log the actual bogus input, so you can figure out what the
> //bad guy is trying to do. Or what mistake you made sending the data.
> $invalid = @$_POST['record_id'];
> trigger_error("Invalid record ID: $invalid", E_USER_ERROR);
> }
>
> //A limited selection from radio/select/checkbox:
> $colors = array('red', 'blue', 'green');
> $color = isset($_POST['color']) ? $_POST['color'} : NULL;
> if (!in_array($color, $colors)){
> trigger_error("Invalid color: $color", E_USER_ERROR);
> }
> ?>
> For text chunks, use http://php.net/preg to filter out anything except
> what's a kosher character in what you expect people to type.
> Also use http://php.net/strlen to see if it's a reasonable length.
>
> For uploaded files, use the file-system 'file' command to see if it "looks
> right" For images, a simple http://php.net/getimagesize will be easier
> than that, and about as good, maybe even better.
>
> You CANNOT trust the data coming into your site from a browser.
>
> Sooner or later somebody will decide to mess with you.
>
> Protect yourself.
>
> --
> Like Music?
> http://l-i-e.com/artists.htm
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
The Disguised Jedi
disguised.jedi@xxxxxxxxx
PHP rocks!
"Knowledge is Power. Power Corrupts. Go to school, become evil"
Disclaimer: Any disclaimer attached to this message may be ignored.
This message is Certified Virus Free
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
