Little help with GET variables

netomx

I want to send a filename using GET, but I don't want ppl to try to inject code... anyone got a solution for it?

It will just have letters and space; I was thinking to use a preg_replace and then compare the original GET variable with the other one; if matches, passes the string, if not, someone tried to inject a code.

Ideas? thx!

AsadHaider

@netomx The following regular expression should work.. allows a-z, A-Z, 0-9, and spaces. Nothing else.

PHP Example

if(preg_match('/^[a-zA-Z0-9\s]+$/', $_GET['filename'])) { // valid }

vahe

@AsadHaider said: if(preg_match('/^[a-zA-Z0-0\s]+$/', $_GET['filename'])) { // valid }

Typo The second zero should be a 9: ...a-zA-Z0-9\s...

AsadHaider

@vahe Haha yeah well spotted, I typed all that out pretty quickly without checking.

netomx

and the dot?

netomx

got it, adding a dot to the match, thanks! =D

NickM

The best solution here is probably to use a whitelist of allowed filenames that they can use, and check the input against the whitelist. Otherwise, if you're not extremely careful, you'll end up with someone using something like ../../../../../etc/passwd as the file parameter, and then you could be in for a world of hurt.

netomx

@NickM but the preg_match above will detect the / isnt it?

eastonch

@NickM not if it's jail'd into a directory...

netomx

@eastonch said: @NickM not if it's jail'd into a directory...

please explain if that applies with this:

if(preg_match('/^[a-zA-Z0-9\s.]+$/', $_GET['video']))

AsadHaider

@netomx what exactly are you trying to do with the entire code?

eastonch

That's a good question; at the moment, we just know that it's a form submission we're looking at.

netomx

A video player. Will scan current directory for flv files and display them. If you click them, it will reload the page but with the flowplayer and the video you selected.

Let me put it here:

<?php
if (isset($_GET['video']))
if(preg_match('/^[a-zA-Z0-9\s.]+$/', $_GET['video']))
$video=$_GET['video'];
else
$video="test.flv"; 
?>
" style="display:block;width:624px;height:352px;position:relative; top:10%; left: 50%; margin-left:-312;" id="player">

flowplayer("player", "flowplayer-3.2.12.swf");





<?php
exec("find . -name '*flv' -type f; find . -name '*mp4' -type f", $videos);
foreach ($videos as &$lista) {
$nombre=strrpos($lista, "/")+1;
echo "<a style='text-decoration:none;' href='".$_SERVER['PHP_SELF']."?video=".substr($lista,2)."'>".str_replace(".", " ", substr($lista,$nombre, -4))."
";
}
?>

netomx

http://pastebin.com/ZfYXK8SX

eastonch

Where are you building this in? -- Use NetBeans for your IDE... there's some missing Curlyz... "{""}" at lines 2,3 etc..

So why are you worried about injection, and why are you using GET?

netomx

@eastonch said: Where are you building this in?

Debian 6 VPS..

@eastonch said: So why are you worried about injection, and why are you using GET?

It is for private use, but I don't want that a friend try to inject something. And why GET? I don't know, it's easy =P

eastonch

Just use $_POST; they can't inject something as there's nothing in the "http://www.randomstufz.com/index.php?INJECTIONCODEBRO".

http://www.w3schools.com/php/php_post.asp

Submit as 'post' and retreive as $_POST['var']

Also, pull the code off, use http://netbeans.org/downloads/ really helpful if you're getting into PHP.

netomx

are you sure @eastonch?

I think that someone can make a form and point the POST to my server, making that "inject proof" vulnerable

eastonch

Only accept one host, locally?

netomx

@eastonch said: Only accept one host, locally?

that's one. will check that, thanks

eastonch

Something along these lines... @netomx http://stackoverflow.com/questions/9872751/accepting-get-post-requests-only-from-localhost

AsadHaider

@eastonch said: there's some missing Curlyz... "{""}" at lines 2,3 etc..

With PHP it still works without curly brackets, depends how you format the code.

eastonch

@AsadHaider Oh. I generally use them, mainly for syntax highlighting when editing it; makes it look a little less messy :D!

netomx

@eastonch said: Something along these lines...

dankeschön!

eastonch

:']

netomx

@eastonch remember the curlys...

if it is just 1 line of code (example: if ($x=0) echo $var;) it works. If you need more than one line, you need to use curlies =P

AsadHaider

@netomx said: If you need more than one line, you need to use curlies =P

Yep, so the following would work for example http://pastebin.com/sLAQqyjX

eastonch

Oh, yeah I know that. I rarely condense my code that short. I'd rather stretch it out, for easy of reading, and i usually // comment everything too, for future reference. and then I can see for example

<? //start vars $var1 = $_REQUEST['age']; // age var $var2 = "chris"; // Name var if ($var1 >= 17) { // test to see if age is above 17. // TRUE! +>17 } else { // FALSE! <18 } ?>

I probs messed that up, being that i Havent been with PHP for a little while, I generally use an IDE which picks up stupid mistakes anyway.

@asadHaider

How do you tell it that the IF statement is finished, so your next echo "fuckpie"; isnt caught in the else for false if statment?

netomx

@eastonch said: I probs messed that up, being that i Havent been with PHP for a little while, I generally use an IDE which picks up stupid mistakes anyway.

I do that too, but when the code is big; if not, it is not necessary. And come on, the code is too tiny to make it bigger with comments.

@AsadHaider said: Yep, so the following would work for example http://pastebin.com/sLAQqyjX

that's right, but, why pie? Don't mention to @HalfEatenPie please

telephone

Please use filter_var or filter_input. If you still wish to use regex, then use filter_var:

filter_var($_GET['variable'], FILTER_VALIDATE_REGEXP, array('options' => array('regexp' => "/^my regex$/")));

PHP The Right Way :)

AsadHaider

@eastonch said: How do you tell it that the IF statement is finished, so your next echo "fuckpie"; isnt caught in the else for false if statment?

When you don't use curly brackets, only the next statement is interpreted as part of the group. If you have more than one statement, then use curly brackets.

@telephone Hipster cat?