PHP $_GET verification

Go To StackoverFlow.com

0

might be a silly question nonetheless:

I'm playing around with the following code:

$a='a';

if ($_GET['a'] == $a)
    echo 'true';
else
    echo 'false';

Now, is there any way to send data to break the verification? Obviously the way it could've been done in an SQL injection won't go.

Just wondering how secure this way of validation is.

Thanks in advance.

EDIT:

My question was, is there anything that can be passed thorugh $_GET that could 'break' the comparison and always output 'true'.

2012-04-03 20:50
by michaeltintiuc
Consider the case where $_GET['a'] is not set. Maybe a was never passed to you - Murtnowski 2012-04-03 20:52
For what purpose are you trying to validate the data? There isn't much anyone could do to get anything other than "true" or "false" from your script there. And if $_GET['a'] isn't set it'd just pop a warning into your logs - Crontab 2012-04-03 20:52
Interesting question. I wonder if passing in weird unicode, or ASCII or anything would throw it off. It seems secure to me - kevingreen 2012-04-03 20:53
Don't give the simplest, harmless hardcoded example, conclude that it's a safe mechanism, and the use it in more complex and totally different context. Just mind this - Damien Pirsy 2012-04-03 20:53
not from this script, imageine a user credentials validation built like this. I'm wondering if there's anything that can break this way of validatio - michaeltintiuc 2012-04-03 20:55
Well, so...why don't you put under scrutiny a REAL case - Damien Pirsy 2012-04-03 20:55
@Skatebail Please don't have us imagine. Show us your code, and we'll tell you if it's secure or not. Don't oversimplify the problem - Madara Uchiha 2012-04-03 20:56
There's no REAL code, God, can't someone just 'try' or 'test' things ou - michaeltintiuc 2012-04-03 21:15


2

If you are looking to validate that $_GET['a'] really in face equals to "a" and nothing else, than yes, that's the code.

However, if you're expecting "a" and only "a" it probably shouldn't be a user input.

Validation (or sanitation), means to take whatever string they might throw at you, and make sure it's valid for whatever purpose you want it to. If it's sent to the database, pass it through mysql_escape_string() or use prepared statements. If it's to be displayed as HTML make sure there aren't any harmful tags by using html_entities() or strip_tags().

Your verification isn't very good for anything else other than saying the user has inputted "a". But yes, nothing other than "a" would be able to get through.

2012-04-03 20:55
by Madara Uchiha
My question was, is there anything that can be passed thorugh $_GET that could 'break' the comparison and always output 'true'. I perfectly know how to sanitize and validate user input data. Was just wondering if anything can break the compariso - michaeltintiuc 2012-04-03 21:01
No, nothing could break the comparison. only "a" will be equal to "a" in PHP - Madara Uchiha 2012-04-03 21:02
Great, that's what I wanted to know, are u 100% sure that now weird ASCII or encoded data can go through - michaeltintiuc 2012-04-03 21:04
No, as PHP checks the literal string "a", and nothing else may be equal to it. It's not like 0 (which can be null, or false). If you are still a bit paranoid, consider using a triple equals sign (===) to test for the matching - Madara Uchiha 2012-04-03 21:05


0

Well, if you knew exactly what was coming in, you could compare without type coercion and check for an empty parameter:

$a = 'a';

if( !empty( $_GET['a'] ) && $_GET['a'] === $a  )
{
  //do more validation using your data model
}
else
{
  //output error msg
}
2012-04-03 20:56
by Matthew Blancarte


-2

You could use Prepared-Statements from the mysqli extension this already prevents every possible injection.

If you don't want to use such mysql and mysqli also have "real_escape_string"-methods which you can use in your Query when putting in Userinput

Example

$sql = "SELECT `name` FROM `example` WHERE `id` = '".mysql_real_escape_string($YOURVAR)."'";

real_escape_string method from standart mysql extension

mysqli real_escape_string

2012-04-03 20:56
by peipst9lker
What's this fuss about databases? OP didn't mention tha - Damien Pirsy 2012-04-03 20:58