[lug] Safely Parsing PHP Parameters

Bill Thoen bthoen at gisnet.com
Wed Oct 10 11:57:26 MDT 2007


On my web server, I've got a PHP script that displays text from various 
essays by Thoreau and it accepts an essay number and a page number from 
the URL. Since I know that evil people can do terrible things with a 
poorly protected PHP script, I just wanted to check with you all to see 
if I'm doing this safely. Essentially the PHP code that reads the 
parameters looks like:

if (isset($_GET['essay'])) {
   $essay = (int)$_GET['essay'];
} else {
   $essay=0;
}
if (isset($_GET['page'])) {
   $page = (int)$_GET['page'];
} else {
   $page = 0;
}

I then do checks to make sure the numbers are in the correct range, and 
if so, I load the requested page from a directory that is outside the 
web tree. I'm expecting URLs that look like:

http://thoreaufortheday.com?essay=3&page=1

but given my code for reading the parameters and my expectation of what 
this script will encounter, are there any obvious security holes that I 
need to consider?

Thanks,
- Bill Thoen




More information about the LUG mailing list