My profile.php displays all the user's postings,comments,pictures. If the user wants to delete, it sends the posting's id to the remove.php so it's like remove.php?action=removeposting&posting_id=2. If they want to remove a picture, it's remove.php?action=removepicture&picture_id=1.
Using the get data, I do a query to the database to display the info they want to delete and if they want to delete it, they click "yes". So the data is deleted via $POST NOT $GET to prevent cross-site request forgery.
My question is how do I make sure the GETs are not some javascript code, sql injection that will mess me up.
here is my remove.php
//how do I make $action safe?
//should I use mysqli_real_escape_string?
//use strip_tags()?
$action=trim($_GET['action']);
if (($action != 'removeposting') && ($action != 'removefriend')
&& ($action != 'removecomment'))
{
header("Location: index.ph开发者_运维问答p");
exit();
}
if ($action == 'removeposting')
{
//get the info and display it in a form. if user clicks "yes", deletes
}
if ($action =='removepicture')
{
//remove pic
}
I know I can't be 100% safe, but what are some common defenses I can use.
EDIT
Do this to prevent xss
$oldaction=trim($_GET['action']);
$action=strip_tags($oldaction);
Then when I am 'recalling' the data back via POST, I would use
$posting_id = mysqli_real_escape_string($dbc, trim($_POST['posting_id']));
if ($action == 'removeposting')
{
//get the posting id from the user
$getposting_id = htmlspecialchars(trim($_GET['posting_id']));
//basic checks for the posting id
if (empty($getposting_id)){
//header ("Location: index.php");
echo '<p>Sorry, no posting was specified for removal.</p>';
exit();
}
if (!is_numeric($getposting_id))
{
echo "Not an integer";
exit();
}
//Also have check to see if the posting_id is the user's. If so, can delete
Because you aren't storing $action
and only using it in your conditional, it's not necessary to do all the trimming/stripping/escaping. The simple string comparisons is enough in terms of "safety," though I recommend using ===
instead of ==
.
Alternatively, if you were storing a $_GET
or $_POST
value into an integer column of a MySQL database, for example, you could simply pass the value into intval()
before storing it in the database. If you need to store plain text, just pass it through mysql_real_escape_string()
before storing it. You can also use preg_match()
or preg_replace()
to make sure you are only storing valid values (different patterns for different uses, e.g. /^\d{5}(?:-?\d{4})?$/
for zip codes).
To prevent against any SQL injection you should use mysqli_real_escape_string
OR you can use Prepared Statements that accomplish the same thing.
To prevent any javascript, you could use strip_tags
in concert with htmlspecialchars
.
I know I can't be 100% safe
ahahahaha :)
if your question regarding only action, and it is used only to determine the code to run, it IS safe by any means.
But some info for you:
POST doesn't prevent cross-site request forgery. unique token does.
You didn't post actual action code, so just to be sure - I hope you check user's id whan perform these actions
Use the mysqli_real_escape_string
as noted elsewhere. Also, of course this does nothing to prevent XSRF. You'll need tokens containing some entropy for that.
See also: http://www.owasp.org/index.php/Main_Page
$_GET is completely safe until you try to glue (concatenate) it to the other things in your program like:
- SQL to be executed (in which case you should use mysqli_real_escape_string() or another escaping technique that is advised with the database that you are using)
- HTML to be outputted (in which case you should pass it through htmlspecialchars() before concatenation or printing/echoing)
- URL to be navigated to by the user (in which case you most likely should pass it through urlencode())
- JavaScript to be executed by the browser (in which case you should pass it through json_encode())
If you want to have an url in javascript embedded in html that you want to be inserted in database then you should pass value that you receive from $_GET (also $_POST, $_COOKIE and other similar outside sources) through all those functions in order appropriate to this scenario, namely
mysql_real_escape_string(htmlspecialchars(json_encode(urlencode($_GET['val']))));
If the only thing you do is compare your $_GET['action'] to some strings then you are perfectly safe without doing any escaping at all.
精彩评论