0

While I create URLs, first I urlencode them and when I get $_GET values from URL, first I make urldecode($_GET['param']) and then use URL parameters.

Is this sufficient or should I make any more thing for URL injection hacks.

Note: The parameters that I put into get form can contain ' character. So I don't want to remove ' character in any case.

trante
  • 33,518
  • 47
  • 192
  • 272
  • 1
    Sufficient for what? It depends on what you do with `$_GET['param']`. – Tchoupi Mar 20 '13 at 17:23
  • You don’t need to decode the `$_GET` values as they are already decoded by PHP during the process where `$_GET` is getting created. It would only be required if you process the URL’s query string manually. – Gumbo Mar 20 '13 at 17:24
  • One of the most common injection attacks happens from allowing JS or straight HTML to be passed in a query string. For example, `/mypage.php?something=DoSomethingCool();`, well, it could be coded as `` - The problem is that anybody can make URLs, so if they do `/mypage.php?something=C00l.Hak();` then it'll execute that JS on your page. It doesn't take hackers much work to be able to inject very dangerous things this way. Outputting HTML gets worse REALLY fast, because they can place whole regions of content on your page! – Mark Ormston Mar 20 '13 at 17:26
  • Related question: [How to prevent code injection attacks in PHP?](http://stackoverflow.com/q/1205889/1409082) – Jocelyn Mar 20 '13 at 17:51

2 Answers2

1

That is not used for prevent attacks from my knowledge. Encoding and decoding only makes sure that the server interprets your request clearly. Like, your browser encodes whatever you type when you don't enter a correct URL address in the address bar and sends it to google. That way, the Google server knows what part is the data and what part is not. So, if a attack is possible, I think it would get you if you use the client data the wrong way.

It's just an opinion though. Try using something like:

$url = filter_var($_GET['param'], FILTER_SANITIZE_URL);

This will make sure whatever is returned is a proper url or NULL I think. Just my opinion though. This code above supposes that you want to make sure that the parsed data is a URL.

Be careful though.

Touch
  • 1,481
  • 10
  • 19
0

No, double-URL-decoding your input (which is effectively what urldecode($_GET['param']) does, since the values in $_GET have already been URL-decoded) does nothing to prevent any kind of injection attacks. After all, the following identity holds for all strings:

$string === urldecode( urlencode( $string ) )

Thus, if an attacker wants to feed you any string as input, all they need to do to work around your extra urldecode() is to URL-encode the input string.

Using urlencode() (once!) on strings which you want to include in a URL is, of course, the right thing to do in any case, since it ensures that the resulting URL will be well-formed and that the parameters in it will be correctly decoded by PHP when it populates the $_GET array. There's generally no point in URL-encoding anything twice, however.

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153