Passing variables in URL: easily hackable?

sois

If i pass a variable through the URL like this:

www.sois.com/home.php?playerID=5

What is the best way to use the playerID variable? Should I use the variable direclty in my code? For example "select * from DB where PLAYER = '$playerID' " or should I use GET or POST methods?

Also, can someone add something to the URL to hack/destroy my site? Something like this?
www.sois.com/home.php?playerID=5;drop DB;... etc.

Is that possible or am I safe? Thanks all.

laserlight

No, always treat incoming variables as suspect, whether they come from the query string, from a form, or even from a cookie.

For an integer id like playerID, you can simply cast it to int and then use it in your SQL statement, or you can validate with say, ctype_digit(). For strings, you would use the appropriate function (depends on your database API or database wrapper API) to ensure that the input is safe from SQL injection. Alternatively, you might use prepared statements, e.g., in PDO.

etully

(Laserlight always beats me to the punch!!)

You are definitely not safe.

Using the get method puts the variables in the URL and you are not safe.

Using the post method passes them in the header where the user can't see them... but you are still not safe. Using the post method will hide the variables from 100% of average users... but the average users weren't the ones who were going to hack your site. Using the post method will protect you against about 1% (the very dumbest) users. The other 99% can still alter the variables as much as they want.

Therefore: There is only one protection. You must let them pass you WHATEVER they want and then it's your job to verify that they passed you something that (A) they are authorized to do and (😎 won't wipe out your system.

The example you gave (Drop D😎 is a perfect example... but there are about 100 more. So the thing to do is figure out what you want to accept and dump anything that doesn't match. For example, if you have 8000 users with sequential user id's (0001-8000) and your site passes in a user id, then check to see that (A) it doesn't contain anything other than numbers and (😎 that the number is in the range from 1-8000. If the number is 9500, then something is wrong. If the number is -45, then something is wrong. If the number is 3.14 then something is wrong. Figure out what you want to permit and disallow everything else. It's the safest security model.

And one more time for the people in the back row who didn't hear me: Switching from Get to Post will not make you any more secure.

Piranha

The question requires a very long answer to get you an answer to every possibility. To get the best answer I suggest to read a lot about security. But I can give yo some hints to what you should look for.

First, use [man]mysql_real_escape_string[/man] to avoid database injection. And always use ' signs, even for numeric variables. This is if you use MySQL, there are other ways to solve it if you use another database.

Second, how important is it if the playerID is changed? People will change the number after the id.

Third, look into sessions. It is not 100% secure, but for some things it is much better than POST or GET.

Forth, always use POST in forms. There is no reason to use GET, but if you use it it will cause troubles.

sois

Dang, Ive got a lot of work to do in that case. 🙁
Thanks for the good info.

sois

Piranha wrote:
Forth, always use POST in forms. There is no reason to use GET, but if you use it it will cause troubles.

This might be a stupid question, but can you use POST method with html links?

For example, I use this alot:

<a href="page.php?variable=$variable" > Link </a>

Is this appropriate or stupid?

etully

This might be a stupid question, but can you use POST method with html links?

There are ways to trick the system into doing that but it doesn't make you any more secure.

As I said in my post, "one more time for the people in the back row who didn't hear me: Switching from Get to Post will not make you any more secure."

sois

etully wrote:
There are ways to trick the system into doing that but it doesn't make you any more secure.

As I said in my post, "one more time for the people in the back row who didn't hear me: Switching from Get to Post will not make you any more secure."

I'm sorry, I didn't mean to imply I didn't read that part of your post. I guess I feel that I have a lot of non-technical users who might know enough about internet to be dangerous. If I could hide that path in the URL, they might just be less tempted to tamper.

Thanks for the info 🙂

laserlight

And always use ' signs, even for numeric variables. This is if you use MySQL, there are other ways to solve it if you use another database.

Yes, if I remember correctly quoting numeric data in other databases is actually incorrect.

If I could hide that path in the URL, they might just be less tempted to tamper.

Instead of relying on security by obscurity, make it such that even if they tamper, nothing will go wrong. Piranha's dictum to "always use POST in forms" is important because of things like size restrictions on the query string, and less so on security.

sois

Thanks guys. I will get to work cleaning up my site. I'm glad I don't have anything really important on it 🙂

Piranha

laserlight wrote:
Instead of relying on security by obscurity, make it such that even if they tamper, nothing will go wrong. Piranha's dictum to "always use POST in forms" is important because of things like size restrictions on the query string, and less so on security.

Exactly. I should have made it clear that it was not for security reasons you should use POST in forms.

rr1024

sois wrote:
If i pass a variable through the URL like this:

www.sois.com/home.php?playerID=5

What is the best way to use the playerID variable? Should I use the variable direclty in my code? For example "select * from DB where PLAYER = '$playerID' " or should I use GET or POST methods?

Also, can someone add something to the URL to hack/destroy my site? Something like this?
www.sois.com/home.php?playerID=5;drop DB;... etc.

Is that possible or am I safe? Thanks all.

Hey, I created this query string sanitizer for my apps....it is a work in progress and you are limited to a-zA-Z0-9, underscore and dashes.

I use it like

$GVars = qStrSanatize( $_GET );

Now in your example above you would do something like

$playerID = (int)$_GET["playerID"];

What I do with this function is
$GVars = qStrSanatize( $_GET );
$playerID = $GVars["playerID"];

we verify if it's numeric or text and we also convert all entities, it seems pretty safe and I use it all the time.
Also keep in mind that you need to handle it when you do get an error where it returns all your Get...post requests back false

I don't use this function for Post vars only Query strings in the url and I limit my self to using only the chars listed.

FUNCTION qStrSanatize( $GetRequestArr )
{
      #Error Code series 200, E200 is reserved for Query String Errors
      GLOBAL $site;  # for main site url must match http_host exactly

    //$ValidArr = ARRAY();
    IF ( !empty( $_SERVER['QUERY_STRING'] ) ) {
        //ECHO "Hello ";
         IF ( is_array( $GetRequestArr ) ) {
              FOREACH ( $GetRequestArr as $Key => $Value ) {
                   # If request not my server then return false for all $_Get
                   IF ( 'http://'.$_SERVER['HTTP_HOST'].'/' === $site['url_main'] ) {
                        IF ( is_numeric( $Value ) AND eregi( "[^0-9]", $Value ) ) {
                             $ValidArr[$Key] = (int)$Value;
                             $ValidArr['E200'] .= "Numeric key = ". $Key.' Value = ' . $Value;
                        }ELSE{
                             #We are expecting a string here so return false if it's not valid
                             $TempV = trim( strip_tags( html_entity_decode( $Value ) ) );
                             $TempV = stripslashes( $TempV );
                             $TempV = str_replace(chr(13), "", $TempV); #chr(13) is a carriage RETURN
                             $TempV = str_replace(chr(10),"",$TempV);   #chr(10) line feed
                             #Match a-zA-Z0-9 - and _ only if string anything else return 0 for key value
                             IF ( !preg_match('/[^a-zA-Z\d_-]/i', $TempV) ) {
                                  $ValidArr[$Key] = $TempV;
                             }ELSE{
                                  $ValidArr[$Key] = 0;
                             }
                             $ValidArr['E200'] .= "Valid String key = ". $Key.' Value = ' . $ValidArr[$Key];
                        }
                   }ELSE{
                        $ValidArr[$Key] = 0;
                        $ValidArr['E200'] .= "Severs did not match, reseting all keys to 0";
                   }

              }
         }ELSE{
              IF ( 'http://'.$_SERVER['HTTP_HOST'].'/' === $site['url_main'] ) {
                   IF ( is_numeric( $GetRequestArr ) AND eregi( "[^0-9]", $GetRequestArr ) ) {
                        $ValidArr = (int)$GetRequestArr;
                   }ELSE{
                        #We are expecting a string here so return false if it's not valid
                        $TempV = trim( strip_tags( html_entity_decode( $GetRequestArr ) ) );
                        $TempV = stripslashes( $TempV );
                        $TempV = str_replace(chr(13), "", $TempV); #chr(13) is a carriage RETURN
                        $TempV = str_replace(chr(10),"",$TempV);   #chr(10) line feed
                        #Match a-zA-Z0-9 - and _ only if string anything else return 0 for key value
                        IF ( !preg_match('/[^a-z\d_-]/i', $TempV) ) {
                             $ValidArr = $TempV;
                        }ELSE{
                             $ValidArr = 0;
                        }

                   }
              }ELSE{
                   $ValidArr = 0;

              }
         }
    }ELSE{
         $ValidArr['E200'] = "No Query String Detected.";
         $ValidArr[0] = 0;
    }
    RETURN $ValidArr;
}

NogDog

Piranha wrote:
Forth, always use POST in forms. There is no reason to use GET, but if you use it it will cause troubles.

I would disagree with this blanket statement. POST should be used for any form which may cause any changes to something (place an order, send an email, post a message to a forum, etc.). GET should be used for any form which does not change anything but instead only causes selected information to be displayed (site search, product listing, etc.). One of the major reasons for this is so that links to particular information-only results can be bookmarked, used in other web pages, etc.; whereas you specifically do not want actions that make changes to be linkable or bookmarkable (to coin a new word).

Or, as the Form Submission section of the HTML 4.01 Spec. says:

The "get" method should be used when the form is idempotent (i.e., causes no side-effects). Many database searches have no visible side-effects and make ideal applications for the "get" method.

If the service associated with the processing of a form causes side effects (for example, if the form modifies a database or subscription to a service), the "post" method should be used.

rr1024

So I have a question about when exactly to use
$_POST

so I use POST when I'm letting a user change the data base in some way, this makes sense.

$_GET
I should use GET when I want to collect data from a URL or when user is just changing the out come of what he/she is presented with.

$_REQUEST
So, when do we use request?

I do have a link exchange script which allows someone to do a link exchange on Site A and when they are done submitting their link they are sent to a page which displays a list of sites runniing the same software and when they click on one it loads that sites link exchange form and prefills in the link exchange form using REQUEST so I've only used it in that instance but I don't know why I did

NogDog

$REQUEST is a catch-all that includes data from post, get, and cookies in one array. Basically, I would never use $REQUEST, as $POST, $GET, and $COOKIE will always be more precise and do the job; whereas it's possible to run into confusion if, say, you have a form post element named "id" but some user puts an "id" value in the URL. Depending on the variables_order configuration directive, the URL value might override your form value in the $REQUEST array, but will do nothing to the form value in the $_POST array.

etully

Sometimes I have a web site where PAGE X has a search field that posts to the search page and I have PAGE Y that generates a link to the search page which is interpreted as a get. Therefore, using the $_REQUEST variable allows me to hear the input no matter which way it was delivered to the page.