PDA

View Full Version : Passing Vars through Url and security


2bz2p
07-08-2008, 02:51 AM
Hi,

So I saw this in another post and was curious to know what this ment

if your passing any vars through the address bar make sure its secure and that the values cant be changed to send evil code through to your app or database

I rearrange my php to pass the variables through the address bar.

Thanks
2b

davidj
07-08-2008, 07:25 AM
if a user can change a value which could damage your app through the address bar then your passing the info incorrectly

you need to validate all data passed

you wouldnt pass passwords through the address bar

also clean all data from SQL Injection attacks

2bz2p
07-08-2008, 12:50 PM
you need to validate all data passed

also clean all data from SQL Injection attacks

How would you do these two?

Thanks
2b

davidj
07-08-2008, 04:48 PM
ok

lets look at what a SQL Injection is

a normal query is as follows catching info from 'formfield'...


$VAR = $_POST['formfield'];

"SELECT * FROM TABLE WHERE FIELDVAL='$VAR'"


what if i was to key the following into 'formfield'

x' OR PASSWORD LIKE '%' AND PASSWORD !='

ok you can see x then i terminate the built in SQL CLAUSE by adding my own termination quote this then allows me to add my own AND / OR clause and create some evil shite.

davidj
07-08-2008, 04:55 PM
to validate form data you should pass it through a washing machine function (just made that up!) which will look through form data and remove any illegal chars and prepare the data for the database

once you build one once you will use it in all your apps

2bz2p
07-08-2008, 05:27 PM
I see, so its basically when you have a form on one page and then pass the info through the address bar and catch it on another page to be inputed to the DB and the washing machine will make sure (for example) email addys are in correct format and what not.

davidj
07-08-2008, 05:31 PM
formatting of an email address is not of importance but ripping out or escaping quotes is

2bz2p
07-08-2008, 05:35 PM
Okay is (parding my lack of knowledge) where you would put trim


$var = $_POST trim('formfeild') ;(Going of very small amount of Memory)

Thanks
2b

davidj
07-08-2008, 07:07 PM
http://uk2.php.net/addslashes

2bz2p
07-08-2008, 11:54 PM
So what your saying is any forms/variables that are entered into the DB should have addslashes to it.

davidj
07-09-2008, 06:48 AM
yes and you can use stripslashes to remove them on the way out

you could just remove them all together (quotes) if you wanted