Lately I see more errors in logs regarding get/post parameters on a nginx/php hosted website. I have some basic checks(sanitization) in place but I think I haven't done enough.
Some of my checks have revealed attempts on an "id" parameter:
Parameter ID was not a number! Parameter was: function id() {
var s = '';
while (s.length < 32) {
s = Math.random().toString(36).replace(/[^A-Za-z]/g, '');
}
return s;
}" while reading response header from upstream, client: ...
So basically I was expecting a number and got a very interesting string. I don't even know what they were trying to achieve with that code, it seems to be javascript and my server is php.
I was thinking of checking even string parameters by a regex.
What kind of checks do you recommend for get/post parameters on a php website?
It really depends on the type of data you're trying to retrieve. In your case with (integer) numbers, I think what you're doing is fine: if they don't input an integer value, then just return an error like you're doing.
For text, I think sanitization (removing illegal characters), such as with htmlentities() should be enough to prevent hacking attacks.
But again, it really depends on the level of security and data types you use.