Validate Query String

rr1024

I was trying to find a slick way to do validation of the URL's Query String

I only use a few special chars for my query strings and I was thinking
about automating the whole sanatization of my url base query strings with
something like this.

I only use '_', '&', '=' and of course Alpha Numberic.

I thought I could come up with some ereg tester to validate that it's
within my format.

I found


ereg( "^([-a-zA-Z0-9_\.\!@#\$&\*\+\=\|])*$" , $var )

What I WANT, I think...LOL

ereg( "^([-a-zA-Z0-9_@&=])*$" , $_SERVER['QUERY_STRING'] )

Here is an example of what I think I want to do

IF ( !ereg('[^A-Za-z0-9]', $_SERVER['QUERY_STRING'] )
     $IsGoodQuery = TRUE
ELSE $IsGoodQuery = FALSE;

Then I add that to the top of any all my pages that require query strings and if $IsGoodQuery is not true then maybe uses list $_SERVER['QUERY_STRING'] to break it up and try to find out why but otherwise just continue with SQL stuff.

Also would this have any adverse effect if I did some mod - rewrite?

Any Thoughts advice ?

I don't know ereg that well and I've seen some stuff I couldn't begin to understand, it's all the different bracks and stuff that is a little :queasy:
Like what is the difference between
[^A-Za-z0-9]
And
[-a-zA-Z0-9_@&=])*$

I added the _@&= but I don't know what the *$ does for it

NogDog

I'm not sure I'm crazy about validating at the raw query string level unless you're actually doing something with that raw data. It would seem to me to be more reasonable to validate values in the $GET array, instead. Even if the query string contains all "valid" characters, that tells you nothing about what variable names and values were received, so you'd still have to validate each element of the $GET array for existence and valid content where applicable.

rr1024

NogDog thanks for your opinion and with that I've created the following to automate my query string validation. Please let me know what you think.

This would be only used where I'm using $GET or $REQUEST to process user data from a $SERVER['QUERY_STRING'] , NOT for $POST

$MyValidRequests = qValidated( $_GET  );

$MyValidRequests = qValidated( $_REQUEST  );

FUNCTION qValidated( $GetRequestArr )
{
// "^([-a-zA-Z0-9_@&=])*$"
//IF ( !ereg('[^A-Za-z0-9]', $_SERVER['QUERY_STRING'] )
//     $IsGoodQuery = TRUE
//ELSE $IsGoodQuery = FALSE;
# If a hacker dumps a string in QUERY_STRING where an integer should be
# whats the worst that can happen. All querys start with supress warnings @
# I think the important part is they can't do anything distructive or majorly
# wrong with <Scripts, ', ", `, ~, ?
# I still don't under stand what "^([-a-zA-Z0-9_])*$" does namely ^, *, $, (, )
# I only want a-zA-Z0-9, -, _,  no comma of course
IF ( !empty( $_SERVER['QUERY_STRING'] ) ) {

 FOREACH ( $GetRequestArr as $Key => $Value ) {
      # If request not my server then return false for all $_Get
      IF ( 'http://'.$_SERVER['HTTP_HOST'].'/' === $site['url'] ) {

           IF (is_numeric($Value) AND eregi( "[^0-9]", $Value)){

                $ValidArr[$Value] = (int)$Value;

           }ELSE{
           #We are expecting a string here so return false if it's not
                $TempV = strip_tags( $Value );
                $TempV = stripslashes( $Value );

                IF ( !eregi( "^([-a-zA-Z0-9_])*$" , $TempV ) ) {

                     $ValidArr[$Value] = $TempV;

                }ELSE{

                     $ValidArr[$Value] = FALSE;
                }

           }
      }ELSE{

           $ValidArr[$Value] = FALSE;

      }

 }
}ELSE{
         RETURN FALSE;
}
        RETURN $ValidArr;

}#[END] FUNCTION

I'm not sure if this part of ergi ^{([-a-zA-Z0-9])$} will do what I want or not, I only want to allow
a-z
A-Z
0-9
"underscore"
- "dash"
in my quesry strings I haven't had much luck with finding out what
^

$
do

Any help would be great and if anyone has any opinions as to using this approach to fort QUERY_STRING hacking attempts.
Also is there away to improve speed or anything.

NogDog

I'm a bit more familiar with the preg* functions. I would use the following to check for invalid characters:

if(!preg_match('/[^a-z\d_-]/i', $TempV))
{
   // it's valid
}
else
{
   // it's NOT valid
}

The [^a-z\d_-] character class matches on anything that is not (the "^" negation character) any of the allowed characters which follow ("\d" is shorthand for any numeral), and the "i" after the closing "/" means case-insensitive matching.

rr1024

Here is my tested code, I think this works really well

FUNCTION testString( $GetRequestArr )
{
      #Error Code series 200, E200 is reserved for Query String Errors
      GLOBAL $site;  # for main site url must match http_host exactly

    //$ValidArr = ARRAY();
    IF ( !empty( $_SERVER['QUERY_STRING'] ) ) {
        //ECHO "Hello ";
         FOREACH ( $GetRequestArr as $Key => $Value ) {
              # If request not my server then return false for all $_Get
              IF ( 'http://'.$_SERVER['HTTP_HOST'].'/' === $site['url_main'] ) {
                   IF ( is_numeric( $Value ) AND eregi( "[^0-9]", $Value ) ) {
                        $ValidArr[$Key] = (int)$Value;
                        $ValidArr['E200'] = "Numeric key = ". $Key.' Value = ' . $Value;
                   }ELSE{
                        #We are expecting a string here so return false if it's not valid
                        $TempV = strip_tags( $Value );
                        $TempV = stripslashes( $Value );
                        #Match a-zA-Z0-9 - and _ only if string anything else return 0 for key value
                        IF ( !preg_match('/[^a-z\d_-]/i', $TempV) ) {
                             $ValidArr[$Key] = $TempV;
                        }ELSE{
                             $ValidArr[$Key] = 0;
                        }
                        $ValidArr['E200'] = "String key = ". $Key.' Value = ' . $ValidArr[$Key];
                   }
              }ELSE{
                   $ValidArr[$Key] = 0;
                   $ValidArr['E200'] = "Severs did not match, reseting all keys to 0";
              }

         }
    }ELSE{
         $ValidArr['E200'] = "No Query String Detected.";
         $ValidArr = 0;
    }
    RETURN $ValidArr;
}

The thing that can be added is if string then do something like is in array, using an array of possible answers and wala we've got a good way of instantly and automatically validating get and requests.