CODEWITHSUNDEEP
phpsecurityvariablesexploit
m1xolyd1an
m1xolyd1an

Reputation: 535

PHP variables safe within a POST

I'm making a button within my website that when clicked calls API from another site using PHP. I have to put my login details as variables in my PHP. I've seen some exploits where hackers are able to get the values on PHP variables by typing something in the address bar? Not sure if that's XSS or SQL injection or what, but I've seen where it will print out the PHP code in XML format.

Here's an example:

if (isset($_POST['submit'])) {
   $time = time(true);
   $prize = 200;
   $ID = "my_secret_API_ID";
   $Password = "my_secret_API_Password";
   $APIcall = json_decode(file_get_contents("https://apiwebsite/developer/$ID/get_info&pw=$Password"), true);
   $display = $APIcall ['some_info'];
   echo $display;
}

Are my login details safe? Should I make them global variables outside of the $_POST? Should I define them in a separate PHP file entirely and then use an include? Does it make a difference?

Upvotes: 1

Views: 523

Answers (2)

SilverlightFox
SilverlightFox

Reputation: 33568

I feel the other answer doesn't actually answer the question you asked. Ohgodwhy's answer relates to your $_POST variables and the poster is correct that if you are not using them then you are not vulnerable (unless PHP or another component you were using was - unlikely though).

I think your question was specifically related to this part of your code?

$ID = "my_secret_API_ID";
$Password = "my_secret_API_Password";

These variables should be safe provided there are no Local File Inclusion vulnerabilities (or similar) on your site. Make sure any other code running does not read local files and display them otherwise a nefarious user may manipulate them to display your credentials. Consider storing these in a database encrypted (it is always good to separate code and data where possible).

  echo $display;

This bit of code may be vulnerable if https://apiwebsite/developer/$ID/get_info&pw=$Password ever returns unencoded data that is beyond your control. e.g. if there is user data in the API and an evil user has put some <script> code in there, your site will run it unless you encode via htmlentities. This would be an XSS vulnerability. Your existing code is OK though if you fully trust apisite to correctly encode values that are beyond their control (and you fully trust apisite itself).

Upvotes: 1

Ohgodwhy
Ohgodwhy

Reputation: 50797

You never actually do anything with the data you receive from your form. There's no possibility of anything being vulnerable.

Isset returns only boolean values and therefore cannot be manipulated in such a way as to expose any of your application.

Upvotes: 3

Related Questions