Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Little help with GET variables
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Little help with GET variables

netomxnetomx Moderator, Veteran
edited July 2012 in Help

I want to send a filename using GET, but I don't want ppl to try to inject code... anyone got a solution for it?

It will just have letters and space; I was thinking to use a preg_replace and then compare the original GET variable with the other one; if matches, passes the string, if not, someone tried to inject a code.

Ideas? thx!

«1

Comments

  • AsadAsad Member
    edited July 2012

    @netomx The following regular expression should work.. allows a-z, A-Z, 0-9, and spaces. Nothing else.

    PHP Example

    if(preg_match('/^[a-zA-Z0-9\s]+$/', $_GET['filename'])) {
    // valid
    }

  • vahevahe Member
    edited July 2012

    @AsadHaider said: if(preg_match('/^[a-zA-Z0-0\s]+$/', $_GET['filename'])) {

    // valid
    }

    Typo
    The second zero should be a 9: ...a-zA-Z0-9\s...

  • AsadAsad Member

    @vahe Haha yeah well spotted, I typed all that out pretty quickly without checking.

  • netomxnetomx Moderator, Veteran

    and the dot?

  • netomxnetomx Moderator, Veteran

    got it, adding a dot to the match, thanks! =D

  • NickMNickM Member

    The best solution here is probably to use a whitelist of allowed filenames that they can use, and check the input against the whitelist. Otherwise, if you're not extremely careful, you'll end up with someone using something like ../../../../../etc/passwd as the file parameter, and then you could be in for a world of hurt.

  • netomxnetomx Moderator, Veteran

    @NickM but the preg_match above will detect the / isnt it?

  • @NickM not if it's jail'd into a directory...

  • netomxnetomx Moderator, Veteran

    @eastonch said: @NickM not if it's jail'd into a directory...

    please explain if that applies with this:

    if(preg_match('/^[a-zA-Z0-9\s.]+$/', $_GET['video']))

  • AsadAsad Member
    edited July 2012

    @netomx what exactly are you trying to do with the entire code?

  • That's a good question; at the moment, we just know that it's a form submission we're looking at.

  • netomxnetomx Moderator, Veteran

    A video player. Will scan current directory for flv files and display them. If you click them, it will reload the page but with the flowplayer and the video you selected.

    Let me put it here:

    
    <?php
    if (isset($_GET['video']))
    if(preg_match('/^[a-zA-Z0-9\s.]+$/', $_GET['video']))
    $video=$_GET['video'];
    else
    $video="test.flv"; 
    ?>
    " style="display:block;width:624px;height:352px;position:relative; top:10%; left: 50%; margin-left:-312;" id="player">
    
    flowplayer("player", "flowplayer-3.2.12.swf");
    



    <?php exec("find . -name '*flv' -type f; find . -name '*mp4' -type f", $videos); foreach ($videos as &$lista) { $nombre=strrpos($lista, "/")+1; echo "<a style='text-decoration:none;' href='".$_SERVER['PHP_SELF']."?video=".substr($lista,2)."'>".str_replace(".", " ", substr($lista,$nombre, -4))."
    "; } ?>
  • Where are you building this in? -- Use NetBeans for your IDE... there's some missing Curlyz... "{""}" at lines 2,3 etc..

    So why are you worried about injection, and why are you using GET?

  • netomxnetomx Moderator, Veteran

    @eastonch said: Where are you building this in?

    Debian 6 VPS..

    @eastonch said: So why are you worried about injection, and why are you using GET?

    It is for private use, but I don't want that a friend try to inject something. And why GET? I don't know, it's easy =P

  • eastoncheastonch Member
    edited July 2012

    Just use $_POST; they can't inject something as there's nothing in the "http://www.randomstufz.com/index.php?INJECTIONCODEBRO".

    http://www.w3schools.com/php/php_post.asp

    Submit as 'post' and retreive as $_POST['var']

    Also, pull the code off, use http://netbeans.org/downloads/ really helpful if you're getting into PHP.

  • netomxnetomx Moderator, Veteran
    edited July 2012

    are you sure @eastonch?

    I think that someone can make a form and point the POST to my server, making that "inject proof" vulnerable

  • Only accept one host, locally?

  • netomxnetomx Moderator, Veteran

    @eastonch said: Only accept one host, locally?

    that's one. will check that, thanks

  • AsadAsad Member

    @eastonch said: there's some missing Curlyz... "{""}" at lines 2,3 etc..

    With PHP it still works without curly brackets, depends how you format the code.

  • @AsadHaider Oh. I generally use them, mainly for syntax highlighting when editing it; makes it look a little less messy :D!

  • netomxnetomx Moderator, Veteran

    @eastonch said: Something along these lines...

    dankeschön!

  • :']

  • netomxnetomx Moderator, Veteran

    @eastonch remember the curlys...

    if it is just 1 line of code (example: if ($x=0) echo $var;) it works. If you need more than one line, you need to use curlies =P

  • AsadAsad Member
    edited July 2012

    @netomx said: If you need more than one line, you need to use curlies =P

    Yep, so the following would work for example
    http://pastebin.com/sLAQqyjX

  • eastoncheastonch Member
    edited July 2012

    Oh, yeah I know that. I rarely condense my code that short. I'd rather stretch it out, for easy of reading, and i usually // comment everything too, for future reference. and then I can see for example

    <? //start vars $var1 = $_REQUEST['age']; // age var $var2 = "chris"; // Name var if ($var1 >= 17) { // test to see if age is above 17. // TRUE! +>17 } else { // FALSE! <18 } ?>

    I probs messed that up, being that i Havent been with PHP for a little while, I generally use an IDE which picks up stupid mistakes anyway.

    @asadHaider

    How do you tell it that the IF statement is finished, so your next echo "fuckpie"; isnt caught in the else for false if statment?

  • netomxnetomx Moderator, Veteran

    @eastonch said: I probs messed that up, being that i Havent been with PHP for a little while, I generally use an IDE which picks up stupid mistakes anyway.

    I do that too, but when the code is big; if not, it is not necessary. And come on, the code is too tiny to make it bigger with comments.

    @AsadHaider said: Yep, so the following would work for example

    http://pastebin.com/sLAQqyjX

    that's right, but, why pie? Don't mention to @HalfEatenPie please

  • telephonetelephone Member
    edited July 2012

    Please use filter_var or filter_input. If you still wish to use regex, then use filter_var:

    filter_var($_GET['variable'], FILTER_VALIDATE_REGEXP, array('options' => array('regexp' => "/^my regex$/")));

    PHP The Right Way :)

  • AsadAsad Member
    edited July 2012

    @eastonch said: How do you tell it that the IF statement is finished, so your next echo "fuckpie"; isnt caught in the else for false if statment?

    When you don't use curly brackets, only the next statement is interpreted as part of the group. If you have more than one statement, then use curly brackets.

    @telephone Hipster cat?

Sign In or Register to comment.