0

I'm wondering, should I do any advanced security checks for view-only ordering functions.

http://www.site.com/?product=shoes&order=manufactured&ord=desc

when I just only use this data in echo for pagination:

$i = 0;
echo "<div>
<a href='/?products=".$data['cat']."&amp;order=".$_GET['order']."&amp;ord=".$_GET['ord']."&page=".$i+1."'>NEXT PAGE</a>";

JUST IN ECHO CASE. These $_GET's doesn't used anywhere else(ex. sql queries etc.)...

-------------
Is there is any way hacker to harm the page by changing the url params "order" or "ord", that could affect server, or other users.

-----------
If so,
does this include at the top of file, would be helpfull ?

// Prevent any possible XSS attacks via $_GET.
foreach ($_GET as $check_url) {
	if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) ||
		(eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) ||
		(eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) ||
		(eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) ||
		(eregi("\"", $check_url))) {
	die ();
	}
}
unset($check_url);

Thanks for any help :)

Edited by Xamas: n/a

4
Contributors
3
Replies
5
Views
7 Years
Discussion Span
Last Post by Atli
0

I'm wondering, should I do any advanced security checks for view-only ordering functions.

http://www.site.com/?product=shoes&order=manufactured&ord=desc

when I just only use this data in echo for pagination:

$i = 0;
echo "<div>
<a href='/?products=".$data['cat']."&amp;order=".$_GET['order']."&amp;ord=".$_GET['ord']."&page=".$i+1."'>NEXT PAGE</a>";

JUST IN ECHO CASE. These $_GET's doesn't used anywhere else(ex. sql queries etc.)...

-------------
Is there is any way hacker to harm the page by changing the url params "order" or "ord", that could affect server, or other users.

-----------
If so,
does this include at the top of file, would be helpfull ?

// Prevent any possible XSS attacks via $_GET.
foreach ($_GET as $check_url) {
	if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) ||
		(eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) ||
		(eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) ||
		(eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) ||
		(eregi("\"", $check_url))) {
	die ();
	}
}
unset($check_url);

Thanks for any help :)

i was wondering the same thing. like mysql_real_escape_string () even if its not bein g inserted into the database? i dont know... though hope someone replies

1

Hey.

It this case there isn't really much of a security risk. Only risk of a user messing up his own navigation links, really.
However, rules #1, #2 and #3 in web-development are to ALWAYS validate ALL user input, so I would suggest that you do so. - Just because we can't see a way to exploit this, it doesn't mean a skilled hacker couldn't. ;)

I would recommend that you verify the values and run them through the urlencode function, just to be safe.

<?php
$i = 0;

// Fetch and validate the ORDER BY column
// (Assumes the value can only contain alpha-numeric characters and underscores)
$order = $_GET['order'];
if(!preg_match('/[\w\d_]+/i', $order)) {
    $order = 'default'; // <-- Insert your default value here!
}
$order = urlencode($order);

// Fetch and validate the ORDER BY direction
$ord = strtolower($_GET['ord']);
if($ord != 'asc' && $ord != 'desc') {
    $ord = 'asc'; // <-- Insert your default value here!
}
$ord = urlencode($ord);

echo "<div><a href='/?products={$data['cat']}&amp;order={$order}&amp;ord={$ord}&page={$i}'>NEXT PAGE</a>";
?>

htmlentities() :D

That is used to encode text that is to be injected into HTML markup, not URLs.

Votes + Comments
Thanks for informative reply
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.