So you want to validate inputs, eh? If you said, “No”, think again.ï¿½ Well here is a little tip for you. If you are passing in any kind of number that you use as an index in a table, you better do something like this:
$val = strval(intval($_GET['val']));
“Why?” you ask?
The reason is simple (and I don’t think I am giving away any hacking secrets here) – If you are going to use this number to retrieve a value in a query, ie
"SELECT something FROM table WHERE ref = " . $_GET['val'], someone could easily – and I mean EASILY do a bait and switch like this…
If you are expecting
$_GET['val'] = "1", they could put
$_GET['val'] = "1; DELETE FROM table;"
Unclear? The way they can do this is simply this:
http://www.yoursite.com/index.php?val=1;DELETE FROM table
Do you see how easy that was? They just cleared out your table and you didn’t even have a chance. They terminated your query, and ran another one right under your nose. And you will not have a record of it except the apache logs showing the GET string. If they couldn’t figure out the table’s name, it might take a while, and you might catch them, but why take the chance?