Problem with GET Form in PHP

Question

5416339 0 Newbie Poster

13 Years Ago

Hello Everyone,

I made a GET form recently.But the problem is that it is highly vulnerable.You can inject your an script as below.

http://mysite.com/processget.phtml?search=<a href="http://google.com">Hacked</a>

I'm able to inject any kind of script into my above URL.I'm actually echoing my GET data using an echo in my BODY,so whenever i enter a malicious script it is being executed in my BODY tag.So now how do i limit this http://mysite.com/processget.phtml?search= to just Number,letters and a few symbols which i want.

For ex.The user should only be able to enter

http://mysite.com/processget.phtml?search=A123123+*$

So can anyof you help me fix this bug.I'm kind of new to PHP,so please explain.

php

4 Contributors
3 Replies
148 Views
12 Hours Discussion Span
Latest Post 13 Years Ago Latest Post by baltazar

hielo 65 Veteran Poster

13 Years Ago

Refer to:
http://www.php.net/manual/en/filter.filters.sanitize.php

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

dddougal 0 Newbie Poster · Answer 1 · 2010-09-21T18:24:03+00:00

just check what is being grabbed before you use it and addslashes.....If you want your script to just accept numbers then:

if(is_numeric($_GET)){
everythings fine
}else{
error
}

baltazar 0 Light Poster · Answer 2 · 2010-09-21T23:50:59+00:00

You can either use the sanitize functions in PHP (as mentioned by hielo) or try out PHP's strip_tags function.

http://php.net/manual/en/function.strip-tags.php

$search = strip_tags($_GET['search']);