...

View Full Version : is this php code safe ?



zc1
07-07-2007, 11:24 AM
Hi,

Is the below code safe and can not be exploited



function indexpage()
{
echo "This is the index page if no other pages are specified";
}

function page1()
{
echo "This is page 1";
}

function page2()
{
echo "This is page 2";
}



switch($_GET['page'])
{
case 'page1':
page1();
break;

case 'page2':
page2();
break;

default:
indexpage();
}

So that www.yoururl.com/phpfile.php


Regards,
Garry

GJay
07-07-2007, 12:15 PM
The only outcome there is an echo, so nothing to exploit.

The practice of using a switch'd 'whitelist' of pages though is a good one, rather than include-ing user-supplied data.

matak
07-07-2007, 12:36 PM
Just write something in the url like

yoururl.com/?page=sometexthere

If your tekst echoes, or shows nothing than it is not safe, but if it shows index page than it's ok.

zc1
07-07-2007, 01:03 PM
Hi,

Thank you for all your replies.

I have got this working but I did not use function xxxx() bits and just put it straight into the switch code as it was giving errors when using the function xxxx()

xxxx = name of function

I presume this is ok to do ?

Regards,
Garry

zc1
07-07-2007, 06:58 PM
Hi,

Is it also safe to use the form post command to a file like filename.php?id=1 . So the html look like


<form name="frmSignup" id="frmSignup" method="post" action="filename.php?id=1" onsubmit="javascript: return validateme(this);">

Using the same PHP layout as what I posted above, but without the functions bit and I changed the echo bit for code from a script I am using that submit data to the database and forward you to another page.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum