...

View Full Version : Is this a security threat



theside
11-09-2010, 05:32 AM
Hi there

I have a question regarding a potential security issue!

I use the following code on one of my websites:


// Get the user specific info from the URI Address:
$navString = htmlspecialchars($_SERVER['REQUEST_URI']);

$parts = explode('/', $navString); // Break into an array
list($folder1, $folder2, $folder3) = explode('/', $navString); // Break into an array using a list

Originally , I was not using htmlspecialchars !

But after some hours worth of reading I realised that using the $_SERVER['REQUEST_URI'] can be manipulated by an unscrupulous website visitor!

The issue I have is that I use $folder1 $folder2 etc to 'know' where my visitor is on the website and also to determine what to show on the particular website page.

So, for example on my page header, to display the correct title, I would use something along the lines of:


if ($folder1) {
if ($folder1=='news') {echo 'The News';}
elseif ($folder1=='contact') {echo 'Contact Page';}
else {echo 'Some other page';}
}
else {
echo 'Home Page';
}

What I need to know, is whether this is safe/secure or whether I should be doing something else with the $_SERVER['REQUEST_URI'] to clean it up?

Many thanks

K

Fumigator
11-09-2010, 05:37 AM
So what's the worst that could happen? Someone could make it look like the news page when they are really sitting on the knitting page? What harm will that cause?

poyzn
11-09-2010, 05:38 AM
If you want to filter uri and php version >= 5.2, you can use next string



$navString = filter_var($_SERVER['REQUEST_URI'], FILTER_VALIDATE_REGEXP, array('options' => array('regexp' => '/^[a-z0-9\.\_\-\/]*$/i')));

theside
11-09-2010, 05:59 AM
So what's the worst that could happen? Someone could make it look like the news page when they are really sitting on the knitting page? What harm will that cause?

Ah yes!!!! I should have expanded a little more!

But, the strings (folder1 etc) are also used for MySQL queries within functions, i.e:

function_name($foldrer1, $folder2)

which then does a MySQL SELECT query dependent on those variables....

So, I understand that I need to escape/sanitise the variables I've created... I used the following code:


if(get_magic_quotes_gpc())
{
$folder1= stripslashes($folder1);
}
$folder1= mysql_real_escape_string($folder1);

if(get_magic_quotes_gpc())
{
$folder2= stripslashes($folder2);
}
$folder2= mysql_real_escape_string($folder2);

if(get_magic_quotes_gpc())
{
$folder3= stripslashes($folder3);
}
$folder3= mysql_real_escape_string($folder3);



Now, my questions are:
1. Does get_magic_quotes_gpc() act on $_SERVER['REQUEST_URI'] ?

And, after trying the above - my page titles failed to show - it just gave me the default page title, Home Page, so:

2. Any other suggestions please?!


Thank you poyzn for your reply - I am not aware of this - so off for a read in the meantime!

Many thanks

K

theside
11-09-2010, 06:25 AM
Hey poyzn

Thank you for your suggestion - i have implemented it and it works! I have had a quick read on the filter function but need some more time to digest exactly what it is doing there!

The only one issue, that isn't a huge problems is that i have some $_GET calls that are used on some of the news pages, e.g:


http://www.domainname.com/folder1/index.php?newsid=11

For this, the default webpage name, Home Page is used. It ignores the fact that we are on the news ($folder1) pages

K

poyzn
11-09-2010, 06:58 AM
if you want to pass uri with get call, just add some symbols to the regexp string:


$navString = filter_var($_SERVER['REQUEST_URI'], FILTER_VALIDATE_REGEXP, array('options' => array('regexp' => '/^[a-z0-9\.\_\-\?\=\&\/]*$/i')));

but you can use more friendly path like /folder1/news/11



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum