[lug] Safely Parsing PHP Parameters
Bill Thoen
bthoen at gisnet.com
Wed Oct 10 11:57:26 MDT 2007
On my web server, I've got a PHP script that displays text from various
essays by Thoreau and it accepts an essay number and a page number from
the URL. Since I know that evil people can do terrible things with a
poorly protected PHP script, I just wanted to check with you all to see
if I'm doing this safely. Essentially the PHP code that reads the
parameters looks like:
if (isset($_GET['essay'])) {
$essay = (int)$_GET['essay'];
} else {
$essay=0;
}
if (isset($_GET['page'])) {
$page = (int)$_GET['page'];
} else {
$page = 0;
}
I then do checks to make sure the numbers are in the correct range, and
if so, I load the requested page from a directory that is outside the
web tree. I'm expecting URLs that look like:
http://thoreaufortheday.com?essay=3&page=1
but given my code for reading the parameters and my expectation of what
this script will encounter, are there any obvious security holes that I
need to consider?
Thanks,
- Bill Thoen
More information about the LUG
mailing list