Reputation: 1047
enough checks/validation for url variable passed to php script in url?
I'm creating a script on my main server and will use js/html to call it as an image source, passing the current tumblr page's referrer variable so I can integrate my blog's stats into my main stat-tracking db.
Anyone who looks at the source, of course, will be able to see that this script can accept a url variable via get. I'm not much of a security wonk, but I'm using the following checks on the input to this var, currently:
$previous_referrer = htmlspecialchars($_GET['ref']);
if (filter_var($previous_referrer, FILTER_VALIDATE_URL) && strpos($_SERVER['HTTP_REFERER'], $tumblelog_url)!== FALSE)
I'm guessing it isn't this simple. What other checks should perform to lock it down against injection attacks?
Upvotes: 1
Views: 415
Answers (1)
Reputation: 14938
For inserting data safely in a database :
1) Before inserting in DB
Filter data :
- Does my data had the expected type/patern (email,url ....)
The main purpose of filtering in first is to avoid processing useless data
Prevent from sql injection :
- if inserting a number use function like intval(),floatval()
- if inserting string use function like mysql_real_escape_string (for mysql only) or prepared statement.
2) After insertion , before display
Prevent Xss by using function like htmlspecialchars() or htmlentites().
Upvotes: 1
Related Questions
- PHP Security - GET Variables, URL safe?
- php url parameters check
- What is the most secure way to validate URLs in PHP?
- Are URL variables safe
- Is this code vulnerable to hacker attack?
- Validate vars in URL
- How to prevent URL variables tampering in PHP?
- check url variable is valid in php
- how secure is sending values through urls in PHP
- A tidy way to clean your URL variables?