Injection attacks revisited.

I thought I’d share another injection attack defense that I use on my sites. You can buy my stuff from Gumroad and I have a page where I list all of the Mac titles and a page where I list all of the Windows titles. I use one php script for both and there are only two choices for the page variable, ‘Mac’ or ‘Win’. It should’t happen but I allow for no values as well.

// I get the data for the page from a database, and you need one if you use 
// mysql_real_escape_string() so it goes first.

if ( isset($_GET['page']) ) { 
    $platform  = mysql_real_escape_string($_GET['page']); 
    // Platform can only be Mac or Win, so make injection attacks go away
    if ( strlen($platform) > 3 ) {
        $url = $_SERVER['REQUEST_URI'];
        $ref = $_SERVER['HTTP_REFERER'];
        error_log("long string in CDs.php: URL is $url and referrer is $ref");
        header("HTTP/1.0 404 Not Found");

// If there is no $platform, they probably want to buy a title that works on 
// the platform they are visiting the site with
}  else { 
    $user_agent = $_SERVER['HTTP_USER_AGENT']; 
    $platform = 'Win'; // Default to windows
    if (preg_match('/macintosh|mac os x/i', $user_agent)) {
        $platform = 'Mac';

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.