Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    zc1
    zc1 is offline
    New Coder
    Join Date
    Jun 2007
    Posts
    29
    Thanks
    8
    Thanked 0 Times in 0 Posts

    is this php code safe ?

    Hi,

    Is the below code safe and can not be exploited

    Code:
    function indexpage()
    {
      echo "This is the index page if no other pages are specified";
    }
    
    function page1()
    {
      echo "This is page 1";
    }
    
    function page2()
    {
      echo "This is page 2";
    }
    
    
    
    switch($_GET['page']) 
    {
      case 'page1':
         page1();
         break;
          
      case 'page2':
         page2();
         break;
          
      default:
         indexpage();  
    }
    
    So that www.yoururl.com/phpfile.php
    Regards,
    Garry
    Regards,
    Garry

  • #2
    Senior Coder
    Join Date
    Sep 2005
    Posts
    1,791
    Thanks
    5
    Thanked 36 Times in 35 Posts
    The only outcome there is an echo, so nothing to exploit.

    The practice of using a switch'd 'whitelist' of pages though is a good one, rather than include-ing user-supplied data.
    My thoughts on some things: http://codemeetsmusic.com
    And my scrapbook of cool things: http://gjones.tumblr.com

  • #3
    Banned
    Join Date
    Apr 2007
    Posts
    428
    Thanks
    29
    Thanked 5 Times in 5 Posts
    Just write something in the url like

    yoururl.com/?page=sometexthere

    If your tekst echoes, or shows nothing than it is not safe, but if it shows index page than it's ok.

  • #4
    zc1
    zc1 is offline
    New Coder
    Join Date
    Jun 2007
    Posts
    29
    Thanks
    8
    Thanked 0 Times in 0 Posts
    Hi,

    Thank you for all your replies.

    I have got this working but I did not use function xxxx() bits and just put it straight into the switch code as it was giving errors when using the function xxxx()

    xxxx = name of function

    I presume this is ok to do ?

    Regards,
    Garry
    Regards,
    Garry

  • #5
    zc1
    zc1 is offline
    New Coder
    Join Date
    Jun 2007
    Posts
    29
    Thanks
    8
    Thanked 0 Times in 0 Posts
    Hi,

    Is it also safe to use the form post command to a file like filename.php?id=1 . So the html look like
    Code:
    <form name="frmSignup" id="frmSignup" method="post" action="filename.php?id=1" onsubmit="javascript: return validateme(this);">
    Using the same PHP layout as what I posted above, but without the functions bit and I changed the echo bit for code from a script I am using that submit data to the database and forward you to another page.
    Regards,
    Garry


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •