PHP Quickie
August 28th, 2006
Leroy is a Zend PHP Certified Engineer from Crestview FL. He has been computing nearly two decades, drag-racing for 12 years and spent a year with a band as a guitarist
So you want to validate inputs, eh? If you said, “No”, think again.� Well here is a little tip for you. If you are passing in any kind of number that you use as an index in a table, you better do something like this:
$val = strval(intval($_GET['val']));
“Why?” you ask?
The reason is simple (and I don’t think I am giving away any hacking secrets here) - If you are going to use this number to retrieve a value in a query, ie "SELECT something FROM table WHERE ref = " . $_GET['val'], someone could easily - and I mean EASILY do a bait and switch like this…
If you are expecting $_GET['val'] = "1", they could put $_GET['val'] = "1; DELETE FROM table;"
Unclear? The way they can do this is simply this:
http://www.yoursite.com/index.php?val=1
VS.
http://www.yoursite.com/index.php?val=1;DELETE FROM table
Do you see how easy that was? They just cleared out your table and you didn’t even have a chance. They terminated your query, and ran another one right under your nose. And you will not have a record of it except the apache logs showing the GET string. If they couldn’t figure out the table’s name, it might take a while, and you might catch them, but why take the chance?