Blocking Malicious Query Strings

jtmathome

Recently I've noticed that not some so good entities are sending suspected malicious queries through my php. i.e. "http://mysite.net?Page=http://www.welovesendingspam.de". Where normally I use the $Page variable to load pages i.e. "Home", Gallery", etc...

My site does not support global variables, but is there a way I can lock these up in their tracks?

NogDog

You must validate/filter all GET and POST data, as it can all be easily spoofed. Check that the values received are of the correct length and type, and reject them if not. Additionally, you could check the values of the $Page value in this example against an array of allowed values (see [man]in_array[/man]).