PHP Quickie

So you want to validate inputs, eh? If you said, “No”, think again.� Well here is a little tip for you. If you are passing in any kind of number that you use as an index in a table, you better do something like this:

$val = strval(intval($_GET['val']));

“Why?” you ask?

The reason is simple (and I don’t think I am giving away any hacking secrets here) – If you are going to use this number to retrieve a value in a query, ie "SELECT something FROM table WHERE ref = " . $_GET['val'], someone could easily – and I mean EASILY do a bait and switch like this…

If you are expecting $_GET['val'] = "1", they could put $_GET['val'] = "1; DELETE FROM table;"

Unclear? The way they can do this is simply this:

http://www.yoursite.com/index.php?val=1

VS.

http://www.yoursite.com/index.php?val=1;DELETE FROM table

Do you see how easy that was? They just cleared out your table and you didn’t even have a chance. They terminated your query, and ran another one right under your nose. And you will not have a record of it except the apache logs showing the GET string. If they couldn’t figure out the table’s name, it might take a while, and you might catch them, but why take the chance?


Comments are closed.