URL Security

funsutton

I am trying to protect my URL from being hacked. I was wondering if I could get feedback on my code below? I believe this is pretty secure. I am using sql injection from the URL with an access database as the backend.

if (!isset($_SERVER['QUERY_STRING'])) { 
    $_SERVER['QUERY_STRING'] = ""; 
    } 

if (empty($_GET['prog'])) { 
    $_GET['prog'] = "all"; 
    } 

if (empty($_GET['i'])) { 
    $_GET['i'] = 0; 
    } 

if(($_SERVER['QUERY_STRING'] == "") || ($_SERVER['QUERY_STRING'] == "prog=".$_GET['prog']."&i=".$_GET['i'])) { 
    echo ""; 
    }else{ 
    echo "Sorry - You cannot access this page directly.<Br><Br>Please <a href='javascript:history.go(-1)'>Go Back.</a>"; 
    exit; 
        }

Thanks,
Brian

mrhappiness

you tested it?

funsutton

Well, as much as I can. I am not a hacker, so I am not sure exactly what a hacker does in the url...with unicode..etc...

But, I have security on the varibles in the URL: one is using an array to check the input and the other is using isnumeric() to check to make sure it's a number.

-Brian

mrhappiness

Just to make sure I got it right:

If you have a link

<a href="index.php?prog=foo&id=5">Click me</a>

I'm allowed to click it and view the page?

But I'm not allowed to enter

[i]yourdomain[/i]/index.php?prog=foo&id=5

directly into my browser's adress bar?

You can't prevent people from typing urls directly into their browser's adress bar
you can only validate the data you got... the way you do it right now is not suitable for this as you better should check if the url-parameters contain valid data (e.g. compare it with a whitelist)

funsutton

You can alter the variables...but I do the variable checking later in the script:

$prog_array = array("all", "1", 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13);

if (!in_array($prog, $prog_array)) {
	$prog = "all";
	}

if(!ctype_digit($i)) {
$i = 0;
}


if ($i > $total) {
	$i = $total;
}elseif ($i < 0) {
	$i = 0;
}

if (empty($i)) {
	$i = 0;
	}

The security code for the URL was merely meant to keep someone from typing in extra characters....or trying to figure out other variables...or whatever else someone might do.

-Brian

mrhappiness

Originally posted by funsutton
The security code for the URL was merely meant to keep someone from typing in extra characters....or trying to figure out other variables...or whatever else someone might do.

so your checking twice?

first you check for some possibly evil things and lateron you compare the data entered with the whitelist you have?`

why not just using the whitelist?
if i enter something weird it surely is not in the whitelist and therefor i can't cause any harm

funsutton

Well, I have heard of people adding stuff to the url (instead of people just using your variables) and hacking into your database. That's why I was trying to limit the length of the query string.

jansky

One good security is to define a variable in your configuration
which something look like
define('thisismysite',true);

and in every page
it must look like this on top of your code "beginning code"

if (!(defined('thisismysite'))) header("HTTP/1.0 404 Not Found");

So when a hacker tried to access your site without going to your homepage
it will bring
404.

This is a one good security

yourdomain/index.php?prog=foo&id=5