Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Oct 2010
    Location
    United Kingdom
    Posts
    24
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Is this a security threat

    Hi there

    I have a question regarding a potential security issue!

    I use the following code on one of my websites:

    PHP Code:
    //    Get the user specific info from the URI Address:
    $navString htmlspecialchars($_SERVER['REQUEST_URI']);

    $parts explode('/'$navString); // Break into an array
    list($folder1$folder2$folder3) = explode('/'$navString); // Break into an array using a list 
    Originally , I was not using htmlspecialchars !

    But after some hours worth of reading I realised that using the $_SERVER['REQUEST_URI'] can be manipulated by an unscrupulous website visitor!

    The issue I have is that I use $folder1 $folder2 etc to 'know' where my visitor is on the website and also to determine what to show on the particular website page.

    So, for example on my page header, to display the correct title, I would use something along the lines of:

    PHP Code:
    if ($folder1) {
    if (
    $folder1=='news') {echo 'The News';}
    elseif (
    $folder1=='contact') {echo 'Contact Page';}
    else {echo 
    'Some other page';}
    }
    else {
    echo 
    'Home Page';

    What I need to know, is whether this is safe/secure or whether I should be doing something else with the $_SERVER['REQUEST_URI'] to clean it up?

    Many thanks

    K

  • #2
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    So what's the worst that could happen? Someone could make it look like the news page when they are really sitting on the knitting page? What harm will that cause?

  • #3
    Regular Coder poyzn's Avatar
    Join Date
    Nov 2010
    Posts
    266
    Thanks
    2
    Thanked 61 Times in 61 Posts
    If you want to filter uri and php version >= 5.2, you can use next string

    PHP Code:
    $navString filter_var($_SERVER['REQUEST_URI'], FILTER_VALIDATE_REGEXP, array('options' => array('regexp' => '/^[a-z0-9\.\_\-\/]*$/i'))); 
    Last edited by poyzn; 11-09-2010 at 05:59 AM.

  • Users who have thanked poyzn for this post:

    theside (11-09-2010)

  • #4
    New Coder
    Join Date
    Oct 2010
    Location
    United Kingdom
    Posts
    24
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fumigator View Post
    So what's the worst that could happen? Someone could make it look like the news page when they are really sitting on the knitting page? What harm will that cause?
    Ah yes!!!! I should have expanded a little more!

    But, the strings (folder1 etc) are also used for MySQL queries within functions, i.e:

    function_name($foldrer1, $folder2)

    which then does a MySQL SELECT query dependent on those variables....

    So, I understand that I need to escape/sanitise the variables I've created... I used the following code:

    PHP Code:
    if(get_magic_quotes_gpc())
                {
                    
    $folder1stripslashes($folder1);
                }
                
    $folder1mysql_real_escape_string($folder1);

                if(
    get_magic_quotes_gpc())
                {
                    
    $folder2stripslashes($folder2);
                }
                
    $folder2mysql_real_escape_string($folder2);

                if(
    get_magic_quotes_gpc())
                {
                    
    $folder3stripslashes($folder3);
                }
                
    $folder3mysql_real_escape_string($folder3); 


    Now, my questions are:
    1. Does get_magic_quotes_gpc() act on $_SERVER['REQUEST_URI'] ?

    And, after trying the above - my page titles failed to show - it just gave me the default page title, Home Page, so:

    2. Any other suggestions please?!


    Thank you poyzn for your reply - I am not aware of this - so off for a read in the meantime!

    Many thanks

    K

  • #5
    New Coder
    Join Date
    Oct 2010
    Location
    United Kingdom
    Posts
    24
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Hey poyzn

    Thank you for your suggestion - i have implemented it and it works! I have had a quick read on the filter function but need some more time to digest exactly what it is doing there!

    The only one issue, that isn't a huge problems is that i have some $_GET calls that are used on some of the news pages, e.g:

    Code:
    http://www.domainname.com/folder1/index.php?newsid=11
    For this, the default webpage name, Home Page is used. It ignores the fact that we are on the news ($folder1) pages

    K

  • #6
    Regular Coder poyzn's Avatar
    Join Date
    Nov 2010
    Posts
    266
    Thanks
    2
    Thanked 61 Times in 61 Posts
    if you want to pass uri with get call, just add some symbols to the regexp string:
    PHP Code:
    $navString filter_var($_SERVER['REQUEST_URI'], FILTER_VALIDATE_REGEXP, array('options' => array('regexp' => '/^[a-z0-9\.\_\-\?\=\&\/]*$/i'))); 
    but you can use more friendly path like /folder1/news/11
    Last edited by poyzn; 11-09-2010 at 07:02 AM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •