0

Are there any security concerns for using user provided data as an array or session key? An non-defined index error is not a concern. For instance, any dangers of doing the following? If so, how is it mitigated? Thanks

$var=$_SESSION['xyz'][$_GET['abc']];

EDIT. The reason I ask...

User uploads a document. It is stored in a tmp directory using a random name, and the filename is stored in a session using the random name as a key. It "might" later be moved to a database and stored in a permanent location.

A link is provided to download the document which contains the random name. Upon clicking, the filename is obtained using the random name as a key.

user1032531
  • 24,767
  • 68
  • 217
  • 387
  • Non-defined index warnings should always be a concern. You should aim to have absolutely zero warnings in your code, so that when you get them unexpectedly, you can pin-point where the problem might be caused. The above is _safe_ to do, though, so long as there is no private information in the `$_SESSION['xyz']` array. – halfer Jan 12 '14 at 17:15
  • @halfer Agree. Warnings will not be displayed. – user1032531 Jan 12 '14 at 17:16
  • @user1032531: you may surpress warnings, but they are still happening. You should work to remove their cause, not disable them. – halfer Jan 12 '14 at 17:17
  • @crypticツ. Good point. Let me update my post on how it is being used. – user1032531 Jan 12 '14 at 17:19
  • @halfer. With a properly generated random number, the odds of an error are about 1 in 10^40. Script stopping on an error is acceptable. – user1032531 Jan 12 '14 at 22:24

1 Answers1

0

Non filtered data is always a potential threat NEVER trust user provided data. That being said, you need to make sure user provided key is actually a valid key (no unexpected characters) to avoid code breaking characters. Then you could just use

if(is_array($_SESSION['xyz']) && array_key_exists($key,$_SESSION['xyz']))

to avoid the other gotchas mentioned above

Edit:

check this for valid indexes discussion

I corrected the function name as per your comment (sorry for that). As for the difference from isset() check this.

Hope this helps

Community
  • 1
  • 1
ghousseyn
  • 102
  • 4
  • Thanks ghousseyn, The application already knows that `$_SESSION['xyz']` is an array, and it is not based on user input. I never used `key_exists()` before (by the way, it should be `array_key_exists()`), and is there any reason to use this over `isset()`? Now the real big question. How do I tell if there is any "code breaking characters" and how do I mitigate if there is? As I originally stated, an error which stops the script is acceptable, but further breaches in security is not. Thanks – user1032531 Jan 12 '14 at 22:54