Possible security problem?

Maharg105

On one of my websites I have a number of news items that are accessed by passing the article id using the GET method.

I use statcounter to monitor traffic and I recently got a hit where the entry page was www.mydomain.co.uk/newsitem.php?id=13%27

Now the correct url would obviously be www.mydomain.co.uk/newsitem.php?id=13

Is this additional %27 an attempt to hack my site in some way? Is this not the code for the ' symbol?

Thanks in advance,

bradgrafelman

0x27 is the ASCII code for a single quote, yes.

And yes, someone was probably trying to see if your script was vulnerable to SQL injection attacks. It shouldn't be, because you should never be placing user-supplied data directly into a SQL query string. Instead, you must first sanitize it with a function such as [man]mysql_real_escape_string/man (for string data, which doesn't appear appropriate in your case, since 'id' is most likely expected to be a numeric value).

Maharg105

Thanks for the reply Brad. I am using this code

$id=preg_replace('/[^0-9]/','',$id);

To sanitize my id. This should be sufficient protection shouldn't it?

Thanks again,

bradgrafelman

Yes, but there's really no need to do something like regular expression replacing... just do something like [man]intval/man instead.