HomeBuilding Your WebsiteWeb Programming and Application Development

Tips for using Query String info on website

Greg K posted this at 23:22 — 28th September 2004.

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

I received an e-mail tongiht that was faked to look like a bank writing to confirm account info, with a link to a page on the banks site that allowed content to come from the URL's query string.

I will not go into details on how they did this as to not aid someone else from doing the same thing (I did a search and found 5 other banks with same hole, and contacted each one).

To protect yourself, anytime you have a script use info from the query string, make sure you have checking in there to prevent someone from changing the QS to be something else, especially if it were to allow your page to grab info from another server.

In a less dangerous example, consider something like "http://mysite.com/error.php?message=Invalid%20username" that you may use on your site to display a text message in the middle of your page layout. In this case the error.php file displays your full page layout, and places what is in message= on the page, this case displaying "Invalid User".

If you do no checking, someone could manually enter the following URL: http://mysite.com/error.php?message=%3Cimg%20src=%22http%3A%2F%2Fi.a.cnn...

This would have your page insert the code into the page, and in this case displaying CNN's logo.

Now, in this case using built in functions to strip HTML code would easily rip these out. However, keep in mind if you use a name of a webpage file in the URL, always check to make sure the file passed CANNOT be one that is a url to another site. Like I said, I found a 5 banks that didn't do this check, and allow someone to put their own content in the bank's template.

Always think SECURITY!

-Greg

Busy posted this at 11:20 — 29th September 2004.

Busy's picture

He has: 6,151 posts

Joined: May 2001

A good practice is to use numbers, id=1, id=0 ... and if there are more than 2 or 3 use a switch (or if/else) to rattle through them.
The good thing with this is you can check if the number is an integar by something like

$id = (int)$GET[id];

then check it, if($id != ''){ do stuff }

if this was given id=mary_had_a_little_lamb
then id would prove false as it's not a number.

Passing URL's via links is always bad news.

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.