开发者

$_GET php security

开发者 https://www.devze.com 2023-03-10 18:23 出处:网络
Do coding this way pose any security risks? $test = $_GET[\'test\']开发者_开发百科; if($test) {

Do coding this way pose any security risks?

$test = $_GET['test']开发者_开发百科;
if($test) { 
$sql = mysql_query("SELECT * FROM tbl WHERE col2 = 'ABC'");
$row ...
}


No, The code above does not have any security hole since you are not using the GET variable in any mysql query.

Look here for other security concerns


$test = $_GET['test']; if($test) { $sql = mysql_query("SELECT * FROM tbl WHERE col2 = 'ABC'"); $row ... }

if your $_GET is number same id can use

if(!is_numeric($test)){"echo "not numeric " ; } else { your code }

if your $_GET string you can use

function security ($test) { $test = str_replace ("""" , "" ,$test ); $test = str_replace ("<" , "" ,$test ); $test = str_replace (">" , "" ,$test ); $test = str_replace ("//" , "" ,$test ); $test = str_replace ("\" , "" ,$test ); $test = str_replace ("''" , "" ,$test ); $test = str_replace ("%" , "" ,$test ); $test = str_replace ("^" , "" ,$test ); $test = str_replace ("or" , "" ,$test ); $test = str_replace ("&" , "" ,$test ); $test = str_replace ("and" , "",$test );

return $test ; }

$test = security($test);
$sql = mysql_query("SELECT * FROM tbl WHERE col2 = 'ABC'");
$numrow = mysql_num_rows($sql);

if($numrow==0) { echo "error post" ; }
else { your code }


No, you're only using $_GET to evaluate if the variable is true or false.

If you were to use it, unescaped, in your query just or even just echo it for the user, it would.


Not nescesairily. But you provide too little to be sure. In general there are problems when you insert data from $_GET or $_POST into your sql (SQL Injection). This gives errors when people will start putting SQL code in the $_GET or $_POST, this is not the case right now.

For further reading, there are few lengthy volumes to get you up to speed on XSS and security:

  • http://phpsec.org/projects/guide/
  • http://php.robm.me.uk/
  • https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29


As long as you don't really mind if $test is true or false (and therefore if the code runs or not) then no there's no security risk to just testing the value.


Only if the $_GET variable your testing for gives the user some sort of secret information from the database. But as the others have said this way your not open to SQL injection.

But without more information it's a bit hard to comment on the security of the script. As Security encompasses a large field and we are only able to comment on the code you gave us.


$_GET[ "" ] is already escaped depending on your version if you are requiring to use it in a mysql query, read [5.3 deprecrated] http://www.php.net/manual/en/function.set-magic-quotes-runtime.php to find out more about how quotes are escaped.

also depending on your error_reporting function you might want to do a

if(
   isset($_GET['test']) &&
   $_GET['test']!=''
){
   $test=$_GET['test'];

   #...
}
0

精彩评论

暂无评论...
验证码 换一张
取 消