I’m sure it’s happened to us all, but I figured I would tell a humorous tale of how (yes we all know it) missing the littlest character could have us spending an hour and a half pulling our hair out, yet once we enter into the programming and javascript realm, they matter all the more…by that time you become bald. (more…)
So you want to validate inputs, eh? If you said, “No”, think again.� Well here is a little tip for you. If you are passing in any kind of number that you use as an index in a table, you better do something like this:
$val = strval(intval($_GET['val']));
“Why?” you ask?
The reason is simple (and I don’t think I am giving away any hacking secrets here) - If you are going to use this number to retrieve a value in a query, ie "SELECT something FROM table WHERE ref = " . $_GET['val'], someone could easily - and I mean EASILY do a bait and switch like this…
If you are expecting $_GET['val'] = "1", they could put $_GET['val'] = "1; DELETE FROM table;"
Unclear? The way they can do this is simply this:
http://www.yoursite.com/index.php?val=1
VS.
http://www.yoursite.com/index.php?val=1;DELETE FROM table
Do you see how easy that was? They just cleared out your table and you didn’t even have a chance. They terminated your query, and ran another one right under your nose. And you will not have a record of it except the apache logs showing the GET string. If they couldn’t figure out the table’s name, it might take a while, and you might catch them, but why take the chance?