Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Jan 2006
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Arrow Is my script secure?

    Let me start out by saying that I'm not using SQL or any databases...

    With that said, below is a script that uses superglobal arrays to pass data to a form using a URL like: http://www-site-com/index.php?price=100.00&title=laptop

    What would you do to make this script more secure?

    Code:
    <?php 
    function getIt($value){ 
      if($_GET[$value]) {
        switch ($value) {
          case 'price':
            $pattern = '/^[$0-9.]{1,20}$/';
            break;
          case 'title':
            $pattern = '/^[0-9a-zA-Z]{1,100}$/';
            break;
        }
        if (preg_match($pattern,$_GET[$value])) {
          return $_GET[$value];
        }
      }
      return false;
    }
    ?>
    
    <input type="text" name="price" value="<?php echo getIt("price")?>">
    <input type="text" name="title" value="<?php echo getIt("title")?>">
    Can you spot any security holes?

    Thanks!

  • #2
    New to the CF scene
    Join Date
    Dec 2006
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Not exactly sure wht you mean by more secure. However, since you're using the $_GET array people can see the values and the variables you're passing easily by looking at the address bar. You might consider using the $_POST array as opposed to the $_GET array. The $_POST method's contents are also available for viewing but it's more obscure to novice computer users. Also, your script seems to be performing data validation against the variables passed in the $_GET array so rather than doing if($_GET[$value]) I think it would be better to do if(isset($_GET[$value])). You might also include a default case value into your switch and have it return false if the input you wanted is not what was given, because I could easily pass a variable into your form using the $_GET URL to mess it up.

  • #3
    New to the CF scene
    Join Date
    Jan 2006
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you for your help...

    It's ok if people see the variables and values. I'm going to be sending my customers these URLs anyways, so I want them to see the price and title.

    Also, would you mind showing me exactly how to include a default case value into my switch and have it return false if the input is invalid?

    Thanks!

  • #4
    New Coder
    Join Date
    Dec 2006
    Posts
    15
    Thanks
    0
    Thanked 0 Times in 0 Posts
    PHP Code:
    switch ($i) {
    case 
    0:
       echo 
    "i equals 0";
       break;
    case 
    1:
       echo 
    "i equals 1";
       break;
    case 
    2:
       echo 
    "i equals 2";
       break;
    default:
       echo 
    "i is not equal to 0, 1 or 2";

    http://us2.php.net/manual/en/control...res.switch.php


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •