Tell me please, is such a construction safe?
<?php $search = $_GET['search']; echo htmlspecialchars($search); 
2 answers
It depends on what you mean by security. JS in the browser at the client does not start. If there is then some other evil script does not work :-) It is tactically safe.
Never use raw $ _GET. This is a bad tone, it smells foul and difficult to code, it is difficult to look for.
It is not safe strategically : accessing $ _GET bypasses any validation, therefore, getting used to using $ _GET, someday you will take the user input, try to write it to the database and your site will come ...
If this is in the API of some of your (even internal) service and you give the answer somewhere further along the code, then, as far as I understand the characters
',-(--sql-comment);will not be escaped, they are not special characters for html, as I recall. An api client can catch something like DROP DATABASE SOME_BASE;This is unsafe in terms of code support. From working practice : imagine a function that accepts any parameters for input, from time to time it turns to $ _GET and performs some manipulations with it. It is logical to assume that the code of such a function is a noodle. Until someone refactores, the code will become more notable.
- Suppose an encoder who does any task, having spent time refactoring / trying to understand how the function works, will get tired and allow a bug that may not lead to direct losses (will not debit the entire user balance), but will lead to downtime. Downtime = money. Vulnerability = money. Therefore, vulnerability = downtime. Bad code = downtime = money = vulnerability. Plus, the loss of working time ( money ) to repair bugs.
To begin with, if you, from the principle or for the period of training, do not want to use frameworks, make at least a raw wrapper function like
class http{ // это не образец хорошего кода, тут нехватает документации // это просто пример для людей, которые не используют фреймворки // php позволяет указывать значения аргументов по умолчанию, поэтому // функцию можно вызывать без аргументов, с одним или двумя аргументами // php allows to set default arguments for a function // ( php.net/manual/en/functions.arguments.php) public static function get($name=false, $default=null){ if (!empty($_POST)){ $_GET=$_POST; //lazy, dangerous, bad code. } if (!$name){ return $_GET; // do what you want with get } if (!isset($_GET[$name])){ return $default; // return null or default value // or throw an exception }else{ return $_GET[$name]; // return value } } } you use, for example, as $search = http::get("search") ; if you throw it, you don’t have to check if ($search === null)
(the code is old, so the class instead of neymspeysa, get / post manipulation due to the fact that this is an in-house project for the internal admin)
plus this approach (this is called encapsulation ):
you can always find in your code an appeal to
$_GET,You can always put debag there.
you do not have to check in a thousand places the existence of an array index in $ _GET
IDE type PhpStorm will understand that this is a function call with parameters.
later, moving to the framework or doing heavy refactoring, you can always either find these calls and get rid of them or embed them in someone else's code without any special speed loss
if you don’t want to use frameworks or components, the way to design a bicycle is for you, but bicycles are also useful for learning.
so - now it is accepted to conduct work with http through google://Guzzle and in principle all work with php through google://composer+php
strangeqargo strangeqargo
5,580 14 thirty
- oneMy personal opinion is that by applying your implementation of the
get($name=false, $default=null)functionget($name=false, $default=null)in the end nothing changes, the same string will appear in the variable. Only there is a new wrapper.if (!empty($_POST)) $_GET=$_POST;it looks weird) Isn't it easier to take it immediately from$_REQUEST? - jekaby - here you are right, but (as far as I remember), I made this division just to not forget about get / post. and yes, if you take the function as a given, it is better to change it to $ _REQUEST. The main factor there is not to check on the isset, as a result, the variable will either have the value of the http parameter or null (or you can throw an exception) I just often met in the verification code for the existence of a parameter in the http request, this ... enrages. And yes, the second cymes is that $ _GET is processed systemically and at one entry point, and not throughout the code - strangeqargo
- What does this code mean?
$name=false, $default=nullYou assign values to variables, but then they check if they are empty. - Telion - These are the default values of the arguments for the function. php.net/manual/en/functions.arguments.php By default (when calling a function without arguments, they will be false / null) you can later call the function without arguments, with one or two arguments - strangeqargo
|
Safe enough.
Not subject to XSS and sql-injection))
jekaby jekaby
2.574 four 18
- By the way, if it has an API that receives data on http, accessing this code and writing the result to the database, then 'and; not shielded - strangeqargo
- @strangeqargo Not shielded. The question is not about writing to the database, but about safe text output. Before writing to the database, variables need to be escaped. - jekaby
- I mean, right now, microservices are often done with all sorts of rest, etc. Those. You can drop the drop database through the validation if the het comes from the user, and then some other service tries to put it in the sql database. I can lie, but it seems that I read somewhere how somewhere such tops were passing through logs - strangeqargo
- oneand so you took a variable, validated it in your domain-domain and you know that no one else anywhere on the code will work wonders with changing $ _GET. it calms you, well, you know why frameworks write. Olso, offtopic, sorry for talking to "you", but I do not like "you" in Russian and try not to use it, IMHO, this is a relic of the slave past - strangeqargo
- one@strangeqargo I understand what you mean) Well, yes, there is a reason for this. - jekaby
|