$category = $_GET['sortBy'];
query_posts(array('order' => 'ASC', 'cat' => $category));
Is this a security risk?
Should i sanitize get?
In wordpress, this is not necessary. But always keep that in mind.
You should always sanitize data that comes from an untrusted source; since $_POST and $_GET (and $_COOKIE) data can be edited easily by the user to contain malicious code/garbage values, you should always validate their contents.
Generally, I would suggest calling mysqli_real_escape_string(), or using prepared statements at a bare minimum. However, it seems you are using WordPress, so you will want to look at the WordPress documentation to see how (and if) they sanitize the parameters passed to their query_posts() function.
Yes you should sanitize all $_POST, $_GET and $_COOKIE variables. You can make use of many different functions, one of them being mysql_real_escape_string(). You can read a lot about it on the internet. An article that might be useful for you is this one.
Other than that I'd always advise you to make use of $_POST variables because they are not visible to the user upon submitting a form. While $_GET variables are shown in the address bar (e.g.: http://www.website.com/submit.php?name=John&surname=Doe&activationkey=81sd6s1). This makes it very easy to modify for a user with bad intentions. While editing $_POST variables require a little more skills.
Wordpress santize it automatically, you do not need to worry about it here. However, in these cases, use
mysql_real_escape_string();
mysqli_real_escape_string();
Related
I was searching where to use $_POST, $_REQUEST, $_GET but I only saw the differences among them.
The only I got to know that
$_REQUEST contains remaining two.
$_GET is used for fetching.
$_POST is used for inserting, updating, deleting.
I want to know these things
I want to know that when $_REQUEST can perform all the tasks then why there was need to create remaining two.
Explain the situations where we choose either $_REQUEST
and where we choose
$_GET or $_POST and not $_REQUEST
And what will the loss if we use use $_REQUEST instead of $_GET or $_POST
If it doesn't matter to you wether data comes in via post or via get you can use $_REQUEST. If you know which of the two will be the method data will be provided to your server-side code, use the appropriate super global. E.g. it's extremely easy to tamper with GET parameters, so you might want to avoid this method in certain parts of your application for security reasons. If you use POST you shouldn't read $_REQUEST, because there's a risk someone might add additional parameters in the URL via GET.
I know $_REQUEST is bad because it contains cookie data as well.
Is it still bad to use $_REQUEST if we use some sort of clean function to it? Would someone be able to elaborate?
$_REQUEST is not specifically dangerous. Any user input can be an attack and should be treated as such. For any input medium $_GET, $_POST, $_COOKIE, use an appropriate method intval(), preg_match(), ... to verify that the value you receive is something you expect.
For example if you expect a file name and intend to send it to the user, make sure it does not contain .. or / so the user won't be able to access your filesystem.
If you want to insert a user generated value in a database, make sure you are escaping your values, using the old mysql_real_escape_string, or better PDO or mysqli prepared statements.
It's a well covered topic, but I'd like to get some confirmation on methods of using data from user variables, in a few different situations.
The variable is never used in a database, never stored, only displayed on screen for the user. Which function to use to make sure no html or javascript can screw things up?
The variable is taken into the database, and used in SQL queries.
The variable does both.
At the moment I xss_clean, and strip_tags. I've always done this, just by autopilot. Is there a better technique? Apologies if there's an identical question out there. I kinda assume there is, although I couldn't find one as thorough as this.
Cheers.
Use the appropriate function while outputting, in HTML context, this is htmlspecialchars
Use prepared statements
See 1. and 2. – depending on whether you are displaying the variable or you are using it in a query.
One of worst delusions in the PHP world is that $_GET or $_POST have anything to do with security.
It is not the source but destination that matters
If you have to deal with database, the rules always the same, no matter if the data is coming from $_POST, SOAP request or a database. It has to be ALWAYS the same: placeholders for the data, whitelisting for the everything else.
If you have to output some data into browser, you have to properly prepare it, no matter whether the data is coming from $_POST, SOAP request or a database.
If you have to read from a file - you have to secure the filename, no matter where it coming from, and so on
In the first case htmlspecialchars() probably is the best choice, allowing for users to use all characters like <, >, &, etc.
In the second case you will need to use some database escaping function like mysql_real_escape_string or a prepared statement with PDO or mysqli. Prepared statements are the best choice here but if you are only familiar with mysql then mysql_real_escape_string works fine too. If you are not using mysql then there are similar functions in most SQL APIs.
In the third case do both but separately, with gives you two diffrent results, one for output and one for database.
References:
http://php.net/manual/en/function.htmlspecialchars.php
http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/book.pdo.php
http://php.net/manual/en/book.mysqli.php
$id="1;drop table users;"; $id=mysql_real_escape_string($id); $sql="SELECT * FROM table
WHERE id=$id";
For just regular use in my PHP code, that is. Not like I'm going to pass it to my queries or anything.
If you pass them to SQL queries, you get an SQL injection
If you use them to form file names, you get an arbitrary file reading vulnerability
If you output them as-is to the user as a part of HTML page, you get an XSS vulnerability
If you output them to a file, you may get a malformed file if it has some predetermined formatting
If you're just comparing the value with a set of predefined values, you're fine.
If you're converting it to a number, you're fine as long as any number works for you
This can really be answered only by stepping through your code, and looking exactly what it does. There could be pitfalls in your code (like a badly built switch statement) that could require sanitation.
Other than database queries, general scenarios where you need to sanitize incoming data include:
Using it in a file name
Using it to include a file
Using it to pass parameters to a program executed through exec()
Outputting it to HTML
You need whatever your application and its security require, keeping in mind that you can get absolutely anything (or nothing) in a $_GET parameter. Maybe you are not using the value in queries, but you may be subject to a cross-site scripting attack if you blindly use a value in a page, for example. "Harmless" websites can easily fall into a cross-site scripting attack.
Never trust user input, yes?
You need to sanitize variables depending on the content of them and the use of them.
so if you have a variable like so:
$_GET['page_id']
And your using within the database, then your sanitize it.
if you have a variable like so:
$_GET['action']
And your planning on using like
require_once "pages/" . $_GET['action'] . ".php"
then you sanitize before you do that, otherwise just make sure that register_globals is off and you will be ok aslong as your not using them in places without considerable thought
Everything that's is not coming from your server should be sanitized! This includes $_GET, $_POST, $_SERVER just to name a few.
So, I've been coding for a little (2 years), and I have a very subjective question:
Is it wrong to use $_REQUEST for Data?
This mainly pertains to authentication by the way.
If you think about the 3 ways data can occur in $_REQUEST, it can come from either a cookie, a form, or a query string. Now, I know that most people directly grab the information from either $_POST or $_GET, using $_COOKIE only when they are expecting a cookie.
My theory is that in reality, there shouldn't be any difference in this data, and it shouldn't make any difference if you replaced $_POST or $_GET with $_REQUEST.
If you are authenticating a user into the system, does it really mattered if the authentication details are contained in the $_POST or $_GET array? Heck, it probably shouldn't matter if they are in $_COOKIE either. They are still giving you credentials to log into the site, which you should check for correctness, and if so log them in.
Now, I do realize there are security issues if you try to have a login form that submits data via a query string, but I don't believe that pertains to the question. Also, if someone fails a login too many times, there should be proper limits set in place to avoid overloading the server.
I'd like to here the opinion about this.
Community Wiki'd for good measure.
Oh, and just by the way, here are other StackOverflow questions that relate if you have other questions about $_REQUEST
Why should I use $_GET and $_POST instead of $_REQUEST?
When and why should $_REQUEST be used instead of $_GET / $_POST / $_COOKIE?
In "good" coding practice, you want to disambiguate as much as possible.
Since $_REQUEST contains the data from $_POST, $_GET, and $_COOKIE by default, the value held by the variable that stores the data retrieved using $_REQUEST will be ambiguous as to which method it came from.
If we are more specific, it will benefit readability of code, as well as understanding of logic, and helps for debugging in the future.
(Let alone the security issues concerning each method, especially the $_GET one)
I'd say avoid it all together. I agree with Sev that disambiguation is important for many reasons (debugging, clarity/self-documentation, elegance, etc.), but there are significant security issues that could arise, and that would be my main reason for avoiding it.
As a simple example, what happens when the same key is sent in two of the arrays (e.g. $_POST['criticalInfo'] and $_GET['criticalInfo'])? As with most security issues, the vulnerabilities present themselves in the individual implementation, so it would be impossible to guess your specific risks. The fact is that ambiguity often opens up holes.
Don't leave it up to "variables_order" in PHP_INI to determine where your script gets variables from. Use $_GET, $_POST, etc.
It is also about not letting credentials come in any other way than a POST request. I would not want my GET request to have side-effects (like logging in the user).
Is it wrong? No.
Is it inferior to $_GET or $_POST? Yes. Use the right array and you'll avoid all kinds of problems that stem from not knowing where the array contents of $_REQUEST came from.