Home » Php » Should I worry about PHP injection if I don't use MySQL?

Should I worry about PHP injection if I don't use MySQL?

Posted by: admin July 12, 2020 Leave a comment

Questions:

I use a simple PHP script to run an online comic which basically uses a GET to take an integer value n and insert an img tag for n.jpg. It doesn’t do any sanitizing or error checking beyond making sure that n.jpg exists. The only user interaction with the script is through this GET, and another that does the same thing with a string to manually display a different template for testing.

My question is, should I even be worrying about injection? And if so, what should I do to prevent it? Everything I’ve found so far only concerns MySQL injection, which doesn’t apply in this case.

How to&Answers:

If you’re not using a database, then obviously SQL injection is not a concern for your. Similarly, if you don’t store any user-submitted data to display to other users, Cross-site-scripting is not a concern. That leaves stuff like eval() or running external processes, which an attacker could subvert, but it doesn’t sound like you do anything like that either.

So you’re probably safe. Still, it would be good to have a minimum amount of error checking, just to get into the habit. For example, you say that you have an integer GET parameter. There’s no such thing – all HTTP parameters are implicity strings. PHP blurs the distinction, but you definitely should cast it to int explicitly to make sure it’s not some string intended to exploit an XSS, SQL injection or eval vulnerability (even if none such exist).

Answer:

You should always worry about security. Not every security hole is made up by the wrong usage of mysql 🙂

Answer:

The SQL injection is not applicable in your case because you are not using a database for your site. But you should consider other security issues for your site too such as cross site scripting.

If you are using a variable from GET, consider below url:

 index.php?myvar=<script>alert(document.cookie);</script>

The hackers are able to provide above url in a number ways hex, utf, etc.

A bad guy can modify your GET variables to perform XSS attacks. XSS is the root of many security holes. You need to consider that too.

If you are expecting a numeric type from your GET var then consider below code:

$myvar = (int) $_GET['your_var'];

You should use htmlentities function to prevent the XSS attacks.

Answer:

If get is supposed to only contain an integer use

$n = intval($_GET['n'])

Answer:

If you’re expecting a number, don’t sanitize bad input, deny it.

if ( !ctype_digit($user_input) ) {
    header('Location: error.php'); // or whatever page
    exit;
}

Answer:

I’d also requests hit your desired images directory too, as you don’t want people browsing your file server with requests like example.com/?q=../../.htaccess

I’m not sure how that would affect the output, but it can’t be good.

Answer:

Allways check user input and $_GET and $_POST data for malicious content. Addslashes, ereg_match and intval are your friend…

If you can get away with it, set the

allow_url_fopen = Off

directive in php.ini

Answer:

You don’t have to worry about SQL injection. But you should check your input as it is used in the html you generate.
Imagine I give this link http://www.example.com/viewComic.php?id="/><script type="text/javascript>alert("XSS");</script><img src="22 to someone. This person will have a little pop-up coming from your website. And a lot of bad things can be done with javascript.
For more infos, you can start reading the wikipedia page about XSS.

So, you should check that the number you expect is a number. For example with is_numeric.