...

View Full Version : 3 for the price of 1: url decode, apostrophes and linking



halifaxer
05-10-2009, 03:04 AM
OMG! This will be the end of me!

Have been struggling with these 2 issues and it always seems to come back to the same thing - urldecode!

This works:



<?
echo '<div><img src="./imgs/'.$_GET["website"].'_banner.jpg" /></div>';
?>


This don't:



<?
echo '<div><img src="./imgs/'.mysql_real_escape_string(urldecode($_GET["website"])).'_banner.jpg" /></div>';
?>


Essentially, I need to secure the $_GET["website"] variable to prevent attack. What's the issue?

Next is something more complicated. This involves the various single and double apostrophes in the syntax. The code:



$link["blue"] = "www.blue.co.uk";

<?
echo '<p><strong><a href="/">$link["'.$_GET["website"].'"]</a></strong></p>';
?>

When $_GET["website"] = "blue" hence making the link display www.blue.co.uk


And lastly, one that I really don't get cos I'm pretty sure I've done this before. When i try to make link source (a href="www.external.com") it comes up as www.mydomain.com/www.external.com

... Am I missing something so obviously simple I can pass it off as a result of fatigue with little embrassment.

All help is appreciated!!! :thumbsup:

Len Whistler
05-10-2009, 04:19 AM
From the PHP manual http://ca2.php.net/urldecode


"The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results."


---------------------

halifaxer
05-10-2009, 01:51 PM
OK, granted.

If I take out the urldecode and focus on the my_real_string_escape... i'm still in the same position.

Any thoughts on this?

venegal
05-10-2009, 02:09 PM
What's the point of mysql_real_escaping it, if it never even gets to see a database, only a html tag.

It's a good thing you are trying to secure your site, but you won't have any success if you randomly use built in functions without knowing what exactly they are there to prevent in the first place, and how exactly possible attacks work -- if the only thing you are doing with the $_GET is putting it as src in an <img> tag, you don't have to do anything. Worst case scenario the link won't work, and that's that; there's no exploit there.

Secondly, your quotes (not apostrophes) are very confused. Use

if (isset($_GET["website"]) && $link[$_GET["website"]]){
echo "<p><strong><a href='{$link[$_GET["website"]]}'>{$link[$_GET['website']]}</a></strong></p>";
}

or

if (isset($_GET["website"]) && $link[$_GET["website"]]){
echo '<p><strong><a href="'.$link[$_GET["website"]].'">'.$link[$_GET['website']].'</a></strong></p>';
}

And lastly you are missing http://.

thesavior
05-10-2009, 09:31 PM
This isn't secure:

<?
echo '<div><img src="./imgs/'.$_GET["website"].'_banner.jpg" /></div>';
?>

because $_GET["website"] could = '" onClick="javascript:alert('herro')';

and then you just added an onClick handler to that image tag. Its the same issue as sql injection. Normally to secure that variable, you would use htmlentities or something, I haven't had to deal with it coming from the url, so you might want to check that.

However if you have an array that contains the allowed values, like

$link["blue"] = "www.blue.co.uk";

then you are safe, because if it is in the array, it will show that link, otherwise it shouldn't be anything, you aren't actually using the information the user gave you except to check an array.

venegal
05-10-2009, 10:09 PM
No!

Please, halifaxer, read up on the topic and don't let yourself be scared into using "securing" measures where they are not only not necessary but probably do more harm than good as long as you don't know what you are doing.

First of all, thesavior is right with his last statement. You are populating your URL-array manually, so you are absolutely safe there, because nothing gets in the <img> without being preapproved by you.

The rest of thesavior's post you can safely disregard. The data provided by the user is getting no real server action at all, it is solely used to populate an <img> tag to be shown to that exact user. If the user decides he wants to put an onclick in there, why not! He'll be the only one that gets to use it.

This has nothing to do with cross site scripting, and it certainly is not the same issue as sql injection. thesavior's suggestion to use "htmlentities or something" in that particular situation shows that he uses about the same approach to security as yourself.

sea4me
05-11-2009, 04:55 AM
This isn't secure:

<?
echo '<div><img src="./imgs/'.$_GET["website"].'_banner.jpg" /></div>';
?>

because $_GET["website"] could = '" onClick="javascript:alert('herro')';

and then you just added an onClick handler to that image tag. Its the same issue as sql injection. Normally to secure that variable, you would use htmlentities or something, I haven't had to deal with it coming from the url, so you might want to check that.


It is very secure as only the user who submitted it will get the alert :p



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum