PHP security question

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Below is a line of PHP code I'm using that is making me nervous. I want
to ask what I can do in the target PHP file (details.php) to make sure
nothing evil is done to me, Below I cite the one line in question:

$d_content_cut = $d_content.'...<a STYLE="color:goldenrod;
border-bottom: 2px solid;"

Here's more info,
- $d_content_cut appears in a html table as some text with a link tagged
on at the end of this text (as you can see). Click the link and you'll
see  more detail on that particular item on a new page called details.php.

- I'm doing a "GET".

- id='.$pg_id  This is the primary key for the MYSQL DB item. It's an
integer and I put it in a SELECT statement with mysql_query to get the
record I need to show.

-  &Type_view=detail&Type_Submit='.$Type_Submit  These are data I need
to properly process the detail page. I hard code "detail" cause I know
if I am doing a GET from this stage in my code it's gotta be "detail",
The var $Type_Submit can be one of four (4) strings - so at least I know
if it's not one of those 4 it's bogus.

- '&key_word='.urlencode($highlight).'>more</a>';   $highlight could be
anything because it's what the user entered as search keywords. Yes, I
escaped it when I did searched in MYSQL, but in a GET a user could
change it, couldn't they(?). I need to pass it along in the GET.

So what could I esp. in details.php where I process this GET, to make
sure evil is not done to me?

Thanks sincerely.

Re: PHP security question

Hal Halloway wrote:
Quoted text here. Click to load it
Quoted text here. Click to load it
In general,you may want to take a look at mod_security
( ) that allows fltering a lot of things using
regex at http level, and for this specific case there are functions
available like striptags(), stripslashes(), stripcslashes() etcetera.
Additionally you may want to use your own str_replace() functions.

I have in the past used a homebread function that just stripped anything
other than alphanumerical chars and _ , but that may be too rigorous in
your case. Using regex you can make almost any filter you can dream of.


Site Timeline