Reputation: 2915
Checking for vulnerabilities including remote file, with parameter, in PHP script
I'm including a remote file with file_get_contents() like so:
function checkData($serial) {
file_get_contents("http://example.com/page.php?somevar=".$serial."&check=1");
return $http_response_header;
}
This remote page performs some basic data manipulation, and looks up the serial number in a database (The input is sanitised and I'm using PDO, so I don't have to worry about SQL injections), and then returns a value in the response header. The input $serial is a get parameter - So completely controlled by the user. I'm wondering if there are any inputs to this function that would lead to undesirable behaviour, for example getting contents of another page other than the one desired.
Thanks in advance.
Upvotes: 0
Views: 77
Answers (1)
Reputation: 126
If the $serial variable is always going to be numeric you can apply intval() around the value to ensure the value will always be a number and not contain other non-numeric data for path traversal / RFC, etc.
E.G.
file_get_contents("http://example.com/page.php?somevar=".intval($serial)."&check=1");
Alternatively you can use preg_replace to strip unwanted characters, should you need alpha characters also.
http://php.net/manual/en/function.preg-replace.php
Upvotes: 1
Related Questions
- How can I get the current script file name, but without the extension ".php"?
- Unzip a file with php
- Why do class/function constructors in JS evaluate strings as expressions?
- How do I get a file name from a full path with PHP?
- Simplest PHP example for retrieving user_timeline with Twitter API version 1.1
- Read PHP Script from remote file
- Get data from a remote, dynamically created, text file with php