Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New Coder
    Join Date
    Feb 2008
    Posts
    37
    Thanks
    4
    Thanked 0 Times in 0 Posts

    3 for the price of 1: url decode, apostrophes and linking

    OMG! This will be the end of me!

    Have been struggling with these 2 issues and it always seems to come back to the same thing - urldecode!

    This works:

    Code:
    <?
        echo '<div><img src="./imgs/'.$_GET["website"].'_banner.jpg" /></div>';
    ?>
    This don't:

    Code:
    <?
        echo '<div><img src="./imgs/'.mysql_real_escape_string(urldecode($_GET["website"])).'_banner.jpg" /></div>';
    ?>
    Essentially, I need to secure the $_GET["website"] variable to prevent attack. What's the issue?

    Next is something more complicated. This involves the various single and double apostrophes in the syntax. The code:

    Code:
    $link["blue"] = "www.blue.co.uk";
    
    <?
    echo '<p><strong><a href="/">$link["'.$_GET["website"].'"]</a></strong></p>';
    ?>
    
    When $_GET["website"] = "blue" hence making the link display www.blue.co.uk
    And lastly, one that I really don't get cos I'm pretty sure I've done this before. When i try to make link source (a href="www.external.com") it comes up as www.mydomain.com/www.external.com

    ... Am I missing something so obviously simple I can pass it off as a result of fatigue with little embrassment.

    All help is appreciated!!!

  • #2
    Senior Coder Len Whistler's Avatar
    Join Date
    Jul 2002
    Location
    Vancouver, BC Canada
    Posts
    1,323
    Thanks
    26
    Thanked 100 Times in 100 Posts
    From the PHP manual http://ca2.php.net/urldecode


    "The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results."


    ---------------------
    Leonard Whistler

  • #3
    New Coder
    Join Date
    Feb 2008
    Posts
    37
    Thanks
    4
    Thanked 0 Times in 0 Posts
    OK, granted.

    If I take out the urldecode and focus on the my_real_string_escape... i'm still in the same position.

    Any thoughts on this?

  • #4
    GŁtkodierer
    Join Date
    Apr 2009
    Posts
    2,127
    Thanks
    1
    Thanked 426 Times in 424 Posts
    What's the point of mysql_real_escaping it, if it never even gets to see a database, only a html tag.

    It's a good thing you are trying to secure your site, but you won't have any success if you randomly use built in functions without knowing what exactly they are there to prevent in the first place, and how exactly possible attacks work -- if the only thing you are doing with the $_GET is putting it as src in an <img> tag, you don't have to do anything. Worst case scenario the link won't work, and that's that; there's no exploit there.

    Secondly, your quotes (not apostrophes) are very confused. Use
    PHP Code:
    if (isset($_GET["website"]) && $link[$_GET["website"]]){
        echo 
    "<p><strong><a href='{$link[$_GET["website"]]}'>{$link[$_GET['website']]}</a></strong></p>";

    or
    PHP Code:
    if (isset($_GET["website"]) && $link[$_GET["website"]]){
        echo 
    '<p><strong><a href="'.$link[$_GET["website"]].'">'.$link[$_GET['website']].'</a></strong></p>';

    And lastly you are missing http://.

  • #5
    Senior Coder
    Join Date
    Aug 2005
    Posts
    1,119
    Thanks
    2
    Thanked 1 Time in 1 Post
    This isn't secure:

    <?
    echo '<div><img src="./imgs/'.$_GET["website"].'_banner.jpg" /></div>';
    ?>

    because $_GET["website"] could = '" onClick="javascript:alert('herro')';

    and then you just added an onClick handler to that image tag. Its the same issue as sql injection. Normally to secure that variable, you would use htmlentities or something, I haven't had to deal with it coming from the url, so you might want to check that.

    However if you have an array that contains the allowed values, like

    $link["blue"] = "www.blue.co.uk";

    then you are safe, because if it is in the array, it will show that link, otherwise it shouldn't be anything, you aren't actually using the information the user gave you except to check an array.

  • #6
    GŁtkodierer
    Join Date
    Apr 2009
    Posts
    2,127
    Thanks
    1
    Thanked 426 Times in 424 Posts
    No!

    Please, halifaxer, read up on the topic and don't let yourself be scared into using "securing" measures where they are not only not necessary but probably do more harm than good as long as you don't know what you are doing.

    First of all, thesavior is right with his last statement. You are populating your URL-array manually, so you are absolutely safe there, because nothing gets in the <img> without being preapproved by you.

    The rest of thesavior's post you can safely disregard. The data provided by the user is getting no real server action at all, it is solely used to populate an <img> tag to be shown to that exact user. If the user decides he wants to put an onclick in there, why not! He'll be the only one that gets to use it.

    This has nothing to do with cross site scripting, and it certainly is not the same issue as sql injection. thesavior's suggestion to use "htmlentities or something" in that particular situation shows that he uses about the same approach to security as yourself.

  • #7
    Regular Coder sea4me's Avatar
    Join Date
    Jan 2009
    Location
    Damn, I don't know...
    Posts
    390
    Thanks
    11
    Thanked 28 Times in 27 Posts
    Quote Originally Posted by thesavior View Post
    This isn't secure:

    <?
    echo '<div><img src="./imgs/'.$_GET["website"].'_banner.jpg" /></div>';
    ?>

    because $_GET["website"] could = '" onClick="javascript:alert('herro')';

    and then you just added an onClick handler to that image tag. Its the same issue as sql injection. Normally to secure that variable, you would use htmlentities or something, I haven't had to deal with it coming from the url, so you might want to check that.
    It is very secure as only the user who submitted it will get the alert


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •