How to Secure a $_GET Request and whole website

Question

I have a function called _check_input. Any _GET functions I call, always get parsed into my _check_input function. Is this enough to have a fully secure .php file so I don't get hacked?

function _check_input($string) {

    if (!preg_match("/^[A-Za-z0-9]+$/", $string)) {
        echo "ERROR";
        exit();
    } else {
        return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
    }
}
$input = _check_input($_GET['input']);

All my program does is strcmp the input against a .json file I have using file_get_contents. It loops through the .json until it finds a match. Once it has a match, it goes to a specific value in the .json and prints it out.

PS: I am a new programmer

it depends on your further actions with $input. if you use $input in sql query so: yes, shure you prevented sql injections. — Dmitriy Snitko, Oct 08 '18 at 05:41
it's good but make sure you should use PDO or mysqli with bind parameters — Bilal Ahmed, Oct 08 '18 at 05:42
@DmitriySnitko There's more security checks? How the heck can someone hack me using just letters and numbers? — Jackie, Oct 08 '18 at 05:44
these is multiple ways to hack website like session hijacking, cross site scripting or files that users upload. so, you should also focus on these things. just letters or numbers do not enough to secure a complete websites — Bilal Ahmed, Oct 08 '18 at 05:46
@BilalAhmed Aww man... I just spent around 30 hours making such a simple website, but I can't but it online... What is session hijacking? Also cross site scripting, I think I have that covered? And I don't have to worry about what users upload because the user only enters a string. — Jackie, Oct 08 '18 at 05:48
Whitelisting specific input is not a bad idea. But it's unsuitable as general catch-all. (In this case: the html escaping is pointless if it's already all-alphanumerics. The function name is awful). See also [What's the best method for sanitizing user input with PHP?](https://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php) and of course [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — mario, Oct 08 '18 at 05:49
@mario Do I need to worry about SQL injection if I don't use SQL in my code? All my program does is strcmp the input against a .json file I have using `file_get_contents` — Jackie, Oct 08 '18 at 05:51
This question is too unspecific. If that is enough or not 100% depends on what you're doing with the value. Different actions required different solutions. What are you doing with it? — M. Eriksson, Oct 08 '18 at 05:52
@MagnusEriksson All my program does is strcmp the input against a .json file I have using file_get_contents. Then prints out a value from the .json file (depending on the value it finds using strcmp) — Jackie, Oct 08 '18 at 05:53
@Jackie, Please go through this link https://security.stackexchange.com/questions/90023/get-and-post-request-vulnerable-to-csrf-attack Hoping it will answer ur question! — ABHI, Oct 08 '18 at 05:54
In that case, you don't really need to do anything with the value. AFAIK, there's not "hack" you can use with `strcmp()`. Also, I don't see any reason for `htmlspecialchars()` since you've already made sure that the string won't contain any chars that needs escaping. Also, that function is for escaping data before you _output_ it. This is just some random check with a random escaping for no apparent reason. — M. Eriksson, Oct 08 '18 at 05:54
@MagnusEriksson I thought it was pointless too, but I am scared some how it will fail so its a second check too. — Jackie, Oct 08 '18 at 05:59
Don't just add random encoding to the inputs without understanding the what they do and what they are for. If you're worried about security for a specific case, you should do the proper research for that specific case. As mentioned, different situations require different solutions. There's no "one-size-fits-all" when it comes to security. — M. Eriksson, Oct 08 '18 at 06:02
@MagnusEriksson when someone types `www.example.com/myfile.php?input=[] my program breaks because strcmp cannot accept it. Is there a way to check against this — Jackie, Oct 08 '18 at 07:27
In that case you would have an empty array in $_GET['input']. PHP has several functions to check what type a variable might have or not, so go have a look - http://php.net/manual/en/ref.var.php — misorude, Oct 08 '18 at 07:48
There's a difference between data _validation_ and data _encoding_. When you get data from users, you should always _validate_ it to make sure that you got what you expect. Especially if it needs to be of some specific type. That input should never reach the `strcmp()`-function at all. Btw, that input would make both `preg_match()` and `htmlspecialchars()` to throw warnings since both functions expects to get a string, not an array. — M. Eriksson, Oct 08 '18 at 11:27

Bilal Ahmed · Answer 1 · 2018-10-08T06:03:21.933

As per your comments i am going to add more details

Yes! it's good but make sure you should use PDO with bind parameters (this is only good for GET request string)

For whole website security this is not enough. you should also focus on Session Hijacking, Cross Site Scripting, Files (That users uploads)

Here is the example of PDO with bind parameters (For more details read PDO Manual)

$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories, PDO::PARAM_INT);
$sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12);
$sth->execute();

Here is very useful details about session hijacking

For Cross Site Scripting

For secure way to upload files

Finally! always Hacker can find a way to hack website. (it's my opinion & Research)

_"Yes! it's good"_ - We have no idea what the OP will do with the value. The OP has also mentioned (in the comments) that they don't have any SQL in the code. — M. Eriksson, Oct 08 '18 at 05:53

How to Secure a $_GET Request and whole website

1 Answers1