How-To Securing PHP5 $_GET Strings

This is a VERY old post of mine from 2008 that I’m sharing for sport.

There are many articles on the internet, none are complete in securing something. This article is no different. Every day holes are found in code, and they rarely get reported right away…and updated right away. But keeping yourself aware of what is going on in the hacking community can help you be aware of what to watch for.

Below, I will go through a few common attacks, and list a few ways to prevent them. There are different ways to go about this, and possibly a few things I won’t be covering…but we will try to give you an idea on how hackers think.

Directory Traversals

Directory Traversals (or Dot Dot Slash attacks) are highly common on servers not equipped to protect itself from such attacks. Below I will show a security vulnerability, and explain a way to patch this up.

$FileName = $_GET["file"];
$FileHandle = fopen("path/" . $FileName, "r");
(Some Output Code Here)

The code above will open a file in the path directory as specified by the $_GET variable. This is all fine and dandy if users are placing valid, proper, and expected filenames into this area…but not everybody is so friendly. Imagine if this code is inserted into the header:


What this will do is traverse out of your current directory that you assume they are in, and go back (likely to root), then forward into the Users directory and the passwords directory.

On a Windows System, this would be the path (for example):


After the directory traversal attack is completed, it will now open your Passwords.doc and output the contents of the file wherever you would have your output display normally.

This isn’t even the biggest problem either…Say your file was actually being WRITTEN to:

$FileHandle = fopen("/path/" . $FileName . ","w");

In this instance, the system would overwrite any file with any variables your code block may be writing to. This can be anything from your .htaccess file (Apache), your registry (user.dat and system.dat) or anything else on your server.

This attack can be prevented by using RegEx filtering, or str_ireplace() filtering, as discussed later on.

RegEx, str_ireplace(), and strip_tags() filtering
These simple commands can be a huge help in what is called “sanitizing” variables. Because, as a programmer, you know what the system expects, and naturally, you expect only that input… Thinking further on, hackers play on this thought. They will try a multitude of attacks to get what they want done.

This function takes a string, searches it for another string, and replaces it with another string.

$variable = str_ireplace($String_To_Find, $Replace_With_String, $In_This_String);


$Before = "Hello, I will have no E's in me after this!<;br /&rt;;";
echo $Before;
$After = str_ireplace("e","",$Before);
echo "After";

This outputs:
Hello, I will have no E’s in me after this!
Hllo, I will hav no ‘s in m aftr this!

This function is case-insensitive. To use a case-sensitive version, use str_replace.

Using this method, you can filter out the Dot Dot Slash attack from earlier like this:

$FileName = str_ireplace("../","",$_GET['file']);

I cannot stress this enough: ALWAYS put the filtering of your choice in before you output the data.

2023 Update: This is still pretty valid, surprisingly. But it’s also obvious. See, back in 2008, we didn’t have a bunch of security engineers changing their LinkedIn Titles to CISOs and posturing about the security field. Back then, you had a few friends who were curious and driven enough to break your site and nice enough to tell you what they did. Shout Out to Cody, you know who you are, for being that person.



, ,




Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.