Posted by Iván Sánchez Ortega on 01/15/07 18:42

SA SA wrote:

> if (isset($HTTP_GET_VARS['sport']))
> {
> $sport = $HTTP_GET_VARS['sport'];
> require ($sport.".php");
> }
>
>
> how do i fix it?

PHP security rule number 1: Never ever trust anything that comes from the
user.

In this case, the 'sport' GET variable can be crafted to inject code (other
posts in this thread indicate how).

There are several techniques to avoid this. One is to make sure that the
file you are about to include() (or require(), for that matter) is a local
file. See the PHP manual for functions on that issue.

Other technique, my favourite, is to manually check the possible values of
the received variable. It goes something like this:

if (isset($_GET['sport']))
{
$sport = $_['sport'];

if ($sport == 'football')
require ('football.php');
elseif ($sport == 'tennis')
require ('tennis.php');
elseif ($sport == 'skydiving')
require ('skydiving.php');
else
{
trigger_error(E_USER_ERROR,'Wrong sport, dude!");
die(); // Just in case trigger_error() doesn't stop execution
}
}



In any case, in any PHP app, if the user enters a "strange" value, or an
invalid value for a variable, the safest way to go is to throw an error and
abort execution.

Check that entered numbers are really numbers (or cast 'em to an int type
variable), that strings in a possible set of values are really in that set
of values, and that arbitrary strings to be inserted into a database are
escaped properly.


--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Mmmmmmmmmmmmmmmmmmmmm.....cuannnnntttasssss emesssssss.

[Back to original message]