I'm wondering, should I do any advanced security checks for view-only ordering functions.
http://www.site.com/?product=shoes&order=manufactured&ord=desc
when I just only use this data in echo for pagination:
$i = 0;
echo "<div>
<a href='/?products=".$data['cat']."&order=".$_GET['order']."&ord=".$_GET['ord']."&page=".$i+1."'>NEXT PAGE</a>";
JUST IN ECHO CASE. These $_GET's doesn't used anywhere else(ex. sql queries etc.)...
-------------
Is there is any way hacker to harm the page by changing the url params "order" or "ord", that could affect server, or other users.
-----------
If so,
does this include at the top of file, would be helpfull ?
// Prevent any possible XSS attacks via $_GET.
foreach ($_GET as $check_url) {
if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) ||
(eregi("\"", $check_url))) {
die ();
}
}
unset($check_url);
Thanks for any help :)