How important is super global filtering?

1

I wanted to know more details of what could happen when I stop super-global filtering, especially for data insertion. What loopholes could be opened? I started with php a short time ago and was doing a little system just to learn and I showed the code to a colleague where I use a lot of $ _POST and $ _GET he already has more experience and then he told me about the filters but I did not get it right. p>     

asked by anonymous 23.11.2016 / 14:23

1 answer

1

Problem

When constructing a system that works with a database, this is the biggest concern you should have about the data that is received by the user. For example, when you have a login form where the user passes email and password:

<form method="POST">
    Email: <input type="text" name="email" /><br />
    Senha: <input type="password" name="senha" /><br />
</form>

And in PHP you get the data this way:

<?php

$login = $_POST["login"];
$senha = $_POST["senha"];

$query = "SELECT * FROM usuarios WHERE login = '{$login}' AND senha = '{$senha}'";

?>

The malicious user wanting to invade your system can simply type in the fields this ' OR 1 = '1 that the query executed would be this:

SELECT * FROM usuarios WHERE login = '' OR 1 = '1' AND senha = '' OR 1 = '1'

Making the query take the first user to find and enter the system quietly.

Solution

In order to escape this common problem, believe (It is really easy to find systems with this type of failure), it is a good and simple practice to receive forms data in this way:

<?php

$login = addslashes($_POST["login"]);
$senha = addslashes($_POST["senha"]);

$query = "SELECT * FROM usuarios WHERE login = '{$login}' AND senha = '{$senha}'";

?>

Where the user attempting to fill in the fields with this ' OR 1 = '1 would try to execute this query:

SELECT * FROM usuarios WHERE login = '\' OR 1 = \'1' AND senha = '\' OR 1 = \'1'

That the database would interpret as' Get all user data whose login is equal to ' OR 1 = '1 and password equal to ' OR 1 = '1 .

Fleeing from the bank attack.

    
23.11.2016 / 14:58