...

View Full Version : Is my script secure?



tokyo_robot
12-23-2006, 09:07 AM
Let me start out by saying that I'm not using SQL or any databases...

With that said, below is a script that uses superglobal arrays to pass data to a form using a URL like: http://www-site-com/index.php?price=100.00&title=laptop

What would you do to make this script more secure?



<?php
function getIt($value){
if($_GET[$value]) {
switch ($value) {
case 'price':
$pattern = '/^[$0-9.]{1,20}$/';
break;
case 'title':
$pattern = '/^[0-9a-zA-Z]{1,100}$/';
break;
}
if (preg_match($pattern,$_GET[$value])) {
return $_GET[$value];
}
}
return false;
}
?>

<input type="text" name="price" value="<?php echo getIt("price")?>">
<input type="text" name="title" value="<?php echo getIt("title")?>">



Can you spot any security holes?

Thanks!

grimpirate
12-23-2006, 08:47 PM
Not exactly sure wht you mean by more secure. However, since you're using the $_GET array people can see the values and the variables you're passing easily by looking at the address bar. You might consider using the $_POST array as opposed to the $_GET array. The $_POST method's contents are also available for viewing but it's more obscure to novice computer users. Also, your script seems to be performing data validation against the variables passed in the $_GET array so rather than doing if($_GET[$value]) I think it would be better to do if(isset($_GET[$value])). You might also include a default case value into your switch and have it return false if the input you wanted is not what was given, because I could easily pass a variable into your form using the $_GET URL to mess it up.

tokyo_robot
12-25-2006, 12:16 AM
Thank you for your help...

It's ok if people see the variables and values. I'm going to be sending my customers these URLs anyways, so I want them to see the price and title.

Also, would you mind showing me exactly how to include a default case value into my switch and have it return false if the input is invalid?

Thanks!

Crimsonjade
12-25-2006, 12:42 AM
switch ($i) {
case 0:
echo "i equals 0";
break;
case 1:
echo "i equals 1";
break;
case 2:
echo "i equals 2";
break;
default:
echo "i is not equal to 0, 1 or 2";
}


http://us2.php.net/manual/en/control-structures.switch.php



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum