Am I doing this wrong?

Discuss the many weaknesses of browser security and ways to mitigate the threat

Am I doing this wrong?

Post by such_a_noob on Sat Sep 03, 2011 5:49 pm
([msg=61379]see Am I doing this wrong?[/msg])

I am going thru the code on my site before I launch it, trying to make sure I haven't left any gaping holes.

I am using an .htaccess file with this code: RewriteRule ^(.*)$ index.php?parameters=$1 [QSA,L] so that my url
looks like this: mywebsite.com/bananas/ripe/20 instead of mywebsite.com?pagename=bananas&website=ripe&picture=20
and, in the top of the index.php file, I am doing this:

$parameters = explode('/', $_GET[parameters]);
$_GET[pagename] = htmlspecialchars($parameters[0]);
$_GET[website] = htmlspecialchars($parameters[1]);
$_GET[picture] = intval(htmlspecialchars($parameters[2]));

My question is: can I now use $_GET[pagename] in my code, or is there another way for an attacker to do something
evil with my $_GET variables? Also, is htmlspecialchars enough doing it this way? I also do mysql_real_escape_string() with
any mysql selects.

Thanks!
such_a_noob
New User
New User
 
Posts: 1
Joined: Sat Sep 03, 2011 5:38 pm
Blog: View Blog (0)


Re: Am I doing this wrong?

Post by tremor77 on Tue Sep 20, 2011 2:27 pm
([msg=61677]see Re: Am I doing this wrong?[/msg])

Wow sorry that no one has replied yet on this.. very good question and very well laid out... I'm at work right now so I can't devote the time it would take to appropriately respond so I will flag this thread for a later response.

On behalf of HTS I apologize for 2 weeks going by before someone responded to this one... because, like I said it's a good PHP/MySQL question that jives with alot of the fundamentals of hacking and security...
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 884
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests