Pls am new to programming
Pls sir I have being seeing this in many php files .php?id=3
But I don't understand how it works or how to put it in my code,
This is called the query string, it's a way of passing parameters to your page.
You can access them in the php using the $_GET superglobal like so:
var_dump( $_GET['id'] );
Tips for using query string variables:
Check it is set before trying to use it: isset($_GET['id']) because you can't be sure it will be there.
This is "user input" and so you should not trust it implicitly. Whatever you do with user input you should use the appropriate security mechanism to sanitize it to prevent vulnerabilities.
If you generate a link with dynamic query string variables then be sure to use URL encoding/Percent encoding which can be done with urlencode().
Related
I need to extract 3 input parameters (in this example a=test, b=sell, c=12536) from the following URL
/property-test-sell-12536
and pass to the PHP file as $_GET parameters. And inside PHP file I want to access this parameter as $_GET['a'], $_GET['b'], $_GET['c'].
I researched Google about this issue. Is it possible to use only NGINX for this purpose or should I do it inside PHP file?
Input arguments are defined as ?index=value&anotherIndex=anotherValue and so forth, for example: https://example.com/search.php?query=How+to+google&lang=en
PHP will then have the variables named as the appropriate index ($_GET['index'] will return you the value).
If you'd like to have routes like example.com/shoes/5/seller then you'd need to code a custom PHP function which trims the URL and looks for strings and then stores them in an appropriate variable, probably using a regex and preg_match. Though, be careful about security as these can be rather vulnerable to things like SQL injections and server-side code execution vulnerabilities.
$input = $_GET['name'];
eval("\$name= \"$input\";");
Or it is insecure? Thanks. Without any php functions, like preg_replace or any other, just working with user data as string type with \" when put it to eval function.
This basically will allow the user to inject arbitrary code into your application. Think something in the line of
$input=";mysql_query(\"DROP TABLE users\")"
Also eval makes it basically impossible to cache anything but that is a minor consequence.
I want to be able to store PHP code in an SQL Database and display that whenever it is called. I don't want to use include and make loads of files. I want to be able to just put them all in SQL and call them when I want. How can I do this?
I have
$GETPAGE = "SELECT PA_CONTENT from pages where PA_NAME = '$page'";
$GETPAGE2= mysql_query($GETPAGE);
$GETPAGE3= mysql_fetch_array($GETPAGE2);
echo $GETPAGE3[PA_CONTENT];
but it echo's it out visible. Should I replace echo for something else?
Thanks
You can use eval() to execute code that's in strings. Just make sure that you absolutely trust the code that's being run - it will run any PHP code it's given, so it could do malicious things if it's so instructed.
You can evaluate a string as code by using eval()
http://php.net/manual/en/function.eval.php
BUT this is not recommended, see also the warning on that page:
The eval() language construct is very dangerous because it allows
execution of arbitrary PHP code. Its use thus is discouraged. If you
have carefully verified that there is no other option than to use this
construct, pay special attention not to pass any user provided data
into it without properly validating it beforehand.
I have experiences with securing sql injections on MYSQL, but what should I be careful on MongoDB using php driver? In most of the pages I get data via GET/POST and searching/inserting the system. I search via UDID / other fields, and can insert any string value. Also I get user's cookies via javascript.
So when GET/POST, I'm adding to each variable htmlentities function?
What would replace mysql_real_escape_string? Should I use it?
So, for example, when doing
$download = array( 'url' => $_GET['url'] );
$downloads->insert($download);
Is this OK?
Is there a way to check if a string is really a UID?
Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?
So when GET/POST, I'm adding to each variable htmlentities function?
No need to. You should however, use htmlentities when outputting user-generated data to a browser, to prevent XSS attacks.
What would replace mysql_real_escape_string? Should I use it?
You shouldn't use mysql_real_escape_string as it's for MySQL. Nothing replaces this on MongoDB, the driver takes care of escaping the data for you.
Is there a way to check if a string is really a UID?
The only way is to validate it is to query MongoDB with that string and check if it exists.
You can however, validate if the format is correct:
$id = '4f1b166d4931b15415000000';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // true
$id = 'foo';
$a = new MongoId($id);
var_dump($a->{'$id'} == $id); // false
Any think else I should be aware when using MongoDB and PHP? I do get my cookies using javascript, and searching in my DB using the cookies. What about that?
Not much. As for any web application, you are very discouraged from storing sensitive data in cookies, such as user identifiers, passwords, etc. as they can easily be tempered with and used to access parts of your application that should be restricted, or impersonate other users.
Btw i think something is missed for example
yourdomain.com/login?username=admin&passwd[$ne]=1
In Sql this looks like this
SELECT * FROM collection
WHERE username="admin",
AND passwd!=1
The way i know is valid to escape this sutiations is to know what type of data you expect and cast it.
Hope the answer was useful
Yes, you do need to escape!
Imagine code like that:
<?php
$login = $users->findOne( [
'user_id' => $_GET['uid'],
'password' => $_GET['password']
] );
?>
And the request is:
https://example.com/login?uid=3&password[$neq]=xxx
This will pass the login!!
You must to convert the GET/POST values to string.
No need to escape quotes, etc.
In your case, to prevent arrays as 'url':
$download = array( 'url' => (string)$_GET['url'] );
$downloads->insert($download);
I have a lot of user inputs from $_GET and $_POST... At the moment I always write mysql_real_escape_string($_GET['var'])..
I would like to know whether you could make a function that secures, escapes and cleans the $_GET/$_POST arrays right away, so you won't have to deal with it each time you are working with user inputs and such.
I was thinking of an function, e.g cleanMe($input), and inside it, it should do mysql_real_escape_string, htmlspecialchars, strip_tags, stripslashes (I think that would be all to make it clean & secure) and then return the $input.
So is this possible? Making a function that works for all $_GET and $_POST, so you would do only this:
$_GET = cleanMe($_GET);
$_POST = cleanMe($_POST);
So in your code later, when you work with e.g $_GET['blabla'] or $_POST['haha'] , they are secured, stripped and so on?
Tried myself a little:
function cleanMe($input) {
$input = mysql_real_escape_string($input);
$input = htmlspecialchars($input, ENT_IGNORE, 'utf-8');
$input = strip_tags($input);
$input = stripslashes($input);
return $input;
}
The idea of a generic sanitation function is a broken concept.
There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it - escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation should be applied right before using the data:
before running a database query. The right sanitation method depends on the library you use; they are listed in How can I prevent SQL injection in PHP?
htmlspecialchars() for safe HTML output
preg_quote() for use in a regular expression
escapeshellarg() / escapeshellcmd() for use in an external command
etc. etc.
Using a "one size fits all" sanitation function is like using five kinds of highly toxic insecticide on a plant that can by definition only contain one kind of bug - only to find out that your plants are infested by a sixth kind, on which none of the insecticides work.
Always use that one right method, ideally straight before passing the data to the function. Never mix methods unless you need to.
There is no point in simply passing the input through all these functions. All these functions have different meanings. Data doesn't get "cleaner" by calling more escape-functions.
If you want to store user input in MySQL you need to use only mysql_real_escape_string. It is then fully escaped to store safely in the database.
EDIT
Also note the problems that arise with using the other functions. If the client sends for instance a username to the server, and the username contains an ampersand (&), you don;t want to have called htmlentities before storing it in the database because then the username in the database will contain &.
You're looking for filter_input_array().
However, I suggest only using that for business-style validation/sanitisation and not SQL input filtering.
For protection against SQL injection, use parametrised queries with mysqli or PDO.
The problem is, something clean or secure for one use, won't be for another : cleaning for part of a path, for part of a mysql query, for html output (as html, or in javascript or in an input's value), for xml may require different things which contradicts.
But, some global things can be done.
Try to use filter_input to get your user's input. And use prepared statements for your SQL queries.
Although, instead of a do-it-all function, you can create some class which manages your inputs. Something like that :
class inputManager{
static function toHTML($field){
$data = filter_input(INPUT_GET, $field, FILTER_SANITIZE_SPECIAL_CHARS);
return $data;
}
static function toSQL($field, $dbType = 'mysql'){
$data = filter_input(INPUT_GET, $field);
if($dbType == 'mysql'){
return mysql_real_escape_string($data);
}
}
}
With this kind of things, if you see any $_POST, $GET, $_REQUEST or $_COOKIE in your code, you know you have to change it. And if one day you have to change how you filter your inputs, just change the class you've made.
May I suggest to install "mod_security" if you're using apache and have full access to server?!
It did solve most of my problems. However don't rely in just one or two solutions, always write secure code ;)
UPDATE
Found this PHP IDS (http://php-ids.org/); seems nice :)