Darren's Outpost - Weblog Archives

← PHP Single Quote vs Doubel Quote

The New Blogging System →

Friday September 30, 2005

PHP urldecode() - 8:20 pm
Coding , PHP , Security - DaRen

Don't use a urldecode on a $_GET variable !

Say you have a script:

script.php [ Hide ]

[ Highlight ] [ Text ]

<?php
// Don't do this !
$value = urldecode($_GET['something']);
?>

Exploit:
An attacker can make a query to that script script.php?something=%2527 [...]

The fact...

PHP "receives" this as %27, which your urldecode() will convert to ' (the singlequote). This may be CATASTROPHIC when injecting into SQL or some PHP functions relying on escaped quotes -- magic quotes rightly cannot detect this and will not protect you!

Eg. This exploit affects phpBB < 2.0.11

Solution:
Just an example of how you can make that more secure:

[ Hide ]

[ Highlight ] [ Text ]

<?php
$query = htmlspecialchars($_GET['query']);  
$query = str_replace('%2522', '', $query);  
$query = str_replace('%27', '', $query);  
$query = str_replace('%2527', '', $query);  
?>

[ Hide ]

[ Highlight ] [ Text ]

<?php
// good 
str_replace('&amp;', '&', htmlspecialchars($_GET['redirect']);
// bad
htmlspecialchars(urldecode($_GET['redirect']));
?>

Permalink:Short |

The fact...

Reader comments ( Add your comments )

Leave a public comment