New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Little help with GET variables
I want to send a filename using GET, but I don't want ppl to try to inject code... anyone got a solution for it?
It will just have letters and space; I was thinking to use a preg_replace and then compare the original GET variable with the other one; if matches, passes the string, if not, someone tried to inject a code.
Ideas? thx!
Comments
@netomx The following regular expression should work.. allows a-z, A-Z, 0-9, and spaces. Nothing else.
PHP Example
// valid
}
Typo
The second zero should be a 9: ...a-zA-Z0-9\s...
@vahe Haha yeah well spotted, I typed all that out pretty quickly without checking.
and the dot?
got it, adding a dot to the match, thanks! =D
The best solution here is probably to use a whitelist of allowed filenames that they can use, and check the input against the whitelist. Otherwise, if you're not extremely careful, you'll end up with someone using something like ../../../../../etc/passwd as the file parameter, and then you could be in for a world of hurt.
@NickM but the preg_match above will detect the / isnt it?
@NickM not if it's jail'd into a directory...
please explain if that applies with this:
if(preg_match('/^[a-zA-Z0-9\s.]+$/', $_GET['video']))
@netomx what exactly are you trying to do with the entire code?
That's a good question; at the moment, we just know that it's a form submission we're looking at.
A video player. Will scan current directory for flv files and display them. If you click them, it will reload the page but with the flowplayer and the video you selected.
Let me put it here:
http://pastebin.com/ZfYXK8SX
Where are you building this in? -- Use NetBeans for your IDE... there's some missing Curlyz... "{""}" at lines 2,3 etc..
So why are you worried about injection, and why are you using GET?
Debian 6 VPS..
It is for private use, but I don't want that a friend try to inject something. And why GET? I don't know, it's easy =P
Just use $_POST; they can't inject something as there's nothing in the "http://www.randomstufz.com/index.php?INJECTIONCODEBRO".
http://www.w3schools.com/php/php_post.asp
Submit as 'post' and retreive as $_POST['var']
Also, pull the code off, use http://netbeans.org/downloads/ really helpful if you're getting into PHP.
are you sure @eastonch?
I think that someone can make a form and point the POST to my server, making that "inject proof" vulnerable
Only accept one host, locally?
that's one. will check that, thanks
Something along these lines... @netomx
http://stackoverflow.com/questions/9872751/accepting-get-post-requests-only-from-localhost
With PHP it still works without curly brackets, depends how you format the code.
@AsadHaider Oh. I generally use them, mainly for syntax highlighting when editing it; makes it look a little less messy !
dankeschön!
:']
@eastonch remember the curlys...
if it is just 1 line of code (example: if ($x=0) echo $var;) it works. If you need more than one line, you need to use curlies =P
Yep, so the following would work for example
http://pastebin.com/sLAQqyjX
Oh, yeah I know that. I rarely condense my code that short. I'd rather stretch it out, for easy of reading, and i usually // comment everything too, for future reference. and then I can see for example
<? //start vars $var1 = $_REQUEST['age']; // age var $var2 = "chris"; // Name var if ($var1 >= 17) { // test to see if age is above 17. // TRUE! +>17 } else { // FALSE! <18 } ?>
I probs messed that up, being that i Havent been with PHP for a little while, I generally use an IDE which picks up stupid mistakes anyway.
@asadHaider
How do you tell it that the IF statement is finished, so your next
echo "fuckpie";
isnt caught in the else for false if statment?I do that too, but when the code is big; if not, it is not necessary. And come on, the code is too tiny to make it bigger with comments.
http://pastebin.com/sLAQqyjX
that's right, but, why pie? Don't mention to @HalfEatenPie please
Please use filter_var or filter_input. If you still wish to use regex, then use filter_var:
PHP The Right Way
When you don't use curly brackets, only the next statement is interpreted as part of the group. If you have more than one statement, then use curly brackets.
@telephone Hipster cat?