I thought I’d share another injection attack defense that I use on my sites. You can buy my stuff from Gumroad and I have a page where I list all of the Mac titles and a page where I list all of the Windows titles. I use one php script for both and there are only two choices for the page variable, ‘Mac’ or ‘Win’. It should’t happen but I allow for no values as well.
// I get the data for the page from a database, and you need one if you use
// mysql_real_escape_string() so it goes first.
require_once('db_my.inc');
if ( isset($_GET['page']) ) {
$platform = mysql_real_escape_string($_GET['page']);
// Platform can only be Mac or Win, so make injection attacks go away
if ( strlen($platform) > 3 ) {
$url = $_SERVER['REQUEST_URI'];
$ref = $_SERVER['HTTP_REFERER'];
error_log("long string in CDs.php: URL is $url and referrer is $ref");
header("HTTP/1.0 404 Not Found");
die();
}
// If there is no $platform, they probably want to buy a title that works on
// the platform they are visiting the site with
} else {
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$platform = 'Win'; // Default to windows
if (preg_match('/macintosh|mac os x/i', $user_agent)) {
$platform = 'Mac';
}
}