Avoiding llHTTPRequest POST injection attacks

[Tommy Rampal]

Hey again guys,

So pretty much I have a llHTTPRequest script that works with a listen that checks to see if the username is registered; whether or not it is registered to the user's key. I've managed to get it all working but I managed to recreate some sort of breach/break by saying 'whateverusername&postdata=...'. Normally it validates the username through the PHP script but in this case, a user can inject post data and bypass it - potentially being malicious.

I assume that the string can be validated before it is passed to my web server (all & characters are to be removed), but is there any other security measures I should take that I could be unaware of? I'm familiar with mysql parameter binding and prepared statements to prevent SQL injection.

[Void Singer]

there should be more than a few php routines available online for sanitizing input... and you can validate the data length is less than the max that an LSL script can send (64k, 60k realistically) to squash any type of overflow attempts.

[Tommy Rampal]

I kicked myself after I found out about llEscapeURL and llUnescapeURL - it can be pretty much used for the same purpose as  bind_param() in php. So if someone types 'test&uhoh=100000' (say it's a game statistic), it'd actually be posted as 'test%26uhoh%3D100000'. The length validation was in place, but I was unaware of the overflow breach, thanks for the heads up!

[Void Singer]

well attempts and actually holes are different think, but overflows are popular methods