stackoom
  简体   繁体   中英

URL checking function returns false? PHP

 原文  2013-07-31 15:18:08       php

Question

First of all, I am not sure at all, but most of SQL injections, XSS attacks etc, occurs via the URL, using GET parameters.

So I wondered, what if I could clean them all and detect if there is an illegal word, if yes, exit to 404 page.

So this is my function: 

    private static function cleanPath()
    {
        if (isset($_GET))
        {
            $count      = 0;
            $illegal    = array 
            (
                '<?', '<?php', '?>', '(', ')',
                '{', '}', 'SELECT', '*', 'FROM',
                'WHERE', 'select', 'from', 'where',
                'DELETE', 'delete', 'echo', 'print',
                'html', 'div', 'class', 'function',
                'prepare', 'query', 'execute', 'exec_',
                '_', '++', 'bindvalue', 'static',
                '$'
            );

            foreach ($illegal as $i)
            {
                foreach ($_GET as $key => $value)
                {
                    $check = strpos($key, $i);
                    if (!$check)
                    {
                        $count++;
                    }
                }
            }

            if ((int)$count == count($illegal))
            {
                return true;
            }
            else
            {
                echo $count . ' array count:' . count($illegal) . '<br />';
                return false;
            }
        }
    }

But it seems like the function doesn't work correctly.

And I enter this link: ?section=register&sec

it will return false.

When I enter this link: ?section=register&section

It will return true, and if I enter anything besides section, it will return false. Why is it doing that?

as you see I already debugged that, and that's what it returns: 

62 array count:31

So $count = 62 and array count = 31

Why does it go to 62? Looks like it is doubling the counter. What did I do wrong?

1 answers

solution1
 3  2013-07-31 15:27:42

Going by your logic, if everything is ok, the actual comparison to check that would be: 

if ((int)$count == (count($_GET) * count($illegal)))

since the counter is being incremented for every GET parameter for every illegal term.

Having said that, the approach you use for this problem is almost impossible to be even extensive, let alone be complete.

It is better to sanitize the inputs and use programming constructs that prevent illegal values from being processed (as Anigel mentioned, whitelisting what you want), than to search for what are the wrongdoing constructs.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question php function returns false Checking if Image exist using url returns false in some ocasions PHP Checking if 1 minute has passed always returns false PHP create_function returns false is_file function in php laravel returns false Force Overlay if function returns False in PHP In which case PHP sort function returns FALSE? in_array function in php always returns false PHP function returns false even if executed successfully PHP function_exists() returns false for empty()
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM