Sanitize $_GET parameters to avoid XSS and other attacks

Question

I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add ".php" to the end of the parameter and include that page. I need to do some security check to avoid XSS or other stuff (not mysql injection since we do not have a database). What I've come up with is the following.

$page = $_GET['page'];

if(!strpos(strtolower($page), 'http') || !strpos($page, '/') ||
    !strpos($page, '\\') || !strpos($page, '..')) {
        //append ".php" to $page and include the page

Is there any other thing I can do to furtherly sanitize my input?

Don't check the result of strpos() like that - it will return zero if the match is at the start of the string, which will evaluate to false — Tom Haigh, Oct 19 '09 at 09:24
@Tom, the acceppted solution lets me avoid that too, anyway thanks, I'll remember your advice for future code. — Federico klez Culloca, Oct 19 '09 at 09:34

score 33 · Accepted Answer · answered Oct 19 '09 at 09:24

33

$page = preg_replace('/[^-a-zA-Z0-9_]/', '', $_GET['page']);

Is probably the quickest way to sanitize this, this will take anything and make sure that it only contains letters, numbers, underscores or dashes.

answered Oct 19 '09 at 09:24

Mez

24,430
14
71
93

1

still can attack using hex code: see http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection/12202218#12202218 and also http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/12710285#12710285 – Janaka R Rajapaksha Dec 06 '14 at 06:12
3

both links are about mysql and this question is not about sql injection – NikkyD Dec 19 '16 at 15:49

score 7 · Answer 2 · edited May 23 '17 at 12:17

7

Don't "sanitize" - Attacks are specific to the use of data, not the source. Escape values as you output them instead. See also my answer to What’s the best method for sanitizing user input with PHP?

edited May 23 '17 at 12:17

Community

1
1

answered Oct 19 '09 at 10:23

troelskn

115,121
27
131
155

I read it, but I don't think that fits the website I'm working on. – Federico klez Culloca Oct 19 '09 at 12:41

score 5 · Answer 3 · answered Oct 19 '09 at 09:31

Define an explicit list of pages you have in your source code and then use it to check the input. Yes, it's more work, but it makes it very clear what is allowed and what is not. For example:

$AVAILABLE_PAGES = array('home', 'news',  ...);
$AVAILABLE_PAGES = array_fill_keys($AVAILABLE_PAGES, 1);

$page = $_GET['page'];
if (!$AVAILABLE_PAGES[$page]) {
   header("HTTP/1.0 404 Not Found");
   die('Page not found.');
}

include "pages/$page.php";

Sanitize $_GET parameters to avoid XSS and other attacks

3 Answers3

Linked