Geek Answers Handbook

Should I worry about introducing PHP if I am not using MySQL?

I use a simple PHP script to run an online comic that basically uses GET to get the integer n and inserts the img tag for n .jpg, It does not do any cleaning or error checking, except that there is n .jpg. The only user interaction with the script is through this GET, and the other is the same with the string to manually display another template for testing.

My question is, should I even bother with injections? And if so, what should I do to prevent this? All that I have found so far only concerns MySQL injection, which in this case does not apply.

+7
php
source share
8 answers

If you are not using a database, then obviously SQL injection does not bother you. Similarly, if you do not store any user data for display to other users, Cross-Site Scripting is not a concern. This leaves things like eval() or triggers external processes that the attacker can undermine, but it doesn't look like you are doing something like that.

So you are probably safe. However, it would be nice to have minimal error checking, just to get used to it. For example, you say that you have an integer parameter GET. There is no such thing - all HTTP parameters are instability strings. PHP blurs the distinction, but you should definitely use it for int explicitly to make sure that no line is intended to use XSS, SQL injection, or the eval vulnerability (even if none exist).

+5
source share

You should always worry about security. Not every security hole is created using mysql incorrectly :-)

+3
source share

SQL injection is not applicable in your case because you are not using a database for your site. But you must consider other security issues for your site, such as crossite scripting .

If you are using a variable from GET, consider the url below:

  index.php?myvar=<script>alert(document.cookie);</script>

Hackers can provide the above url in several ways: hex, utf, etc.

The bad guy can change your GET variables to perform XSS attacks. XSS is the root of many security holes. You should also consider this.

If you expect a numeric type from GET var, consider the code below:

 $myvar = (int) $_GET['your_var'];

You should use htmlentities to prevent XSS attacks.

+2
source share

If get should contain only an integer

$n = intval($_GET['n'])

+1
source share

If you expect a number, do not sanitize a bad input, deny it.

 if ( !ctype_digit($user_input) ) { header('Location: error.php'); // or whatever page exit; }
+1
source share

Allways checks the user's login and $ _GET and $ _POST data for malicious content. Addslashes, ereg_match and intval are your friend ...

If you succeed, install

 allow_url_fopen = Off

directive in php.ini

0
source share

I would also request your catalog of the desired images, since you do not want people to browse your file server with requests like example.com/?q=../../.htaccess

I am not sure how this will affect the conclusion, but it may not be good.

0
source share

You do not need to worry about SQL injection. But you have to check your input as it is used in the html that you generate. Imagine that I am passing this link http://www.example.com/viewComic.php?id="/><script type="text/javascript>alert("XSS");</script><img src="22 someone. This person will have a small popup from your site. And javascript can do a lot of bad things. For more information, you can start reading the XSS wikipedia page.

So you should check that the number you expect is a number. For example, is_numeric .

0
source share

More articles:


All Articles