CODEWITHSUNDEEP
php
user1094081
user1094081

Reputation:

Check for the existence of any other POST variable that it is not the required one

I noticed (reading logs of websites I administer), hackers try to submit post requests, literally "inventing" post variables names.

Some website features old PHP code, eg.

if (isset($_POST["mail"]) && !empty($_POST["mail"])) {
    //...  
}else{  
    exit;
}

This basically checks if there is a $_POST variable "mail" and it is not empty.

Is it possible to check for the existence of any $_POST variable that it is NOT "mail" and exit the script in that case?

Upvotes: 0

Views: 44

Answers (2)

Carlos Vicent Domenech
Carlos Vicent Domenech

Reputation: 1

I have a different way using filters and not accesing directly to $_POST. At first, you have to create a definition of what $_POST elements you are interested in. So you have to create an array with the corresponding filters, as example for login definition

$definition = array(
    ["mail"] => FILTER_SANITIZE_EMAIL,
    ["passwd"] => FILTER_SANITIZE_STRING
);

Next you can filter all the desirable $_POST elements with filter_input_array

$desirablePost = filter_input_array(INPUT_POST, $definition);

And finalyly you can filter again all the $_POST values usign a filter constant (remembering that all $_POST elements are strings).

$allPost = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

So, to know if someone has injected another $_POST fields, we can compare the count() of both arrays.

if(count($desirablePost) !== count($allPost)){
    //error or exit(1) ...
}

Upvotes: 0

Justinas
Justinas

Reputation: 43479

Use array_diff_key to check for differences:

$whitelist = ['mail' => null];

$hasOthers = !empty(array_diff_key($whitelist, $_POST));

Upvotes: 4

Related Questions