Amy Groshek Avocation and Vocation

URL Parameter Security

Or, Amy Once Thought She Knew PHP

A colleague's peer review turned up a new concern for me today: restricting the format of a URL parameter in PHP. My original entry:

$param = required_param('markup', PARAM_TEXT);

And since I didn't actually need to allow alphanum, format could be restricted further:

$param = required_param('markup', PARAM_ALPHA);

Therefore somewhat inhibiting efforts of insane plotting end-user hacker from sending any old nasty SQL thing into my script.

SQL injection is a code injection technique that exploits a security vulnerability in an application's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. ~http://en.wikipedia.org/wiki/SQL_injection

More info on required_param() can be found in lib/moodlelib.php.