I use a simple PHP script to run an online comic which basically uses a GET to take an integer value n and insert an img tag for n.jpg. It doesn’t do any sanitizing or error checking beyond making sure that n.jpg exists. The only user interaction with the script is through this GET, and another that does the same thing with a string to manually display a different template for testing.
My question is, should I even be worrying about injection? And if so, what should I do to prevent it? Everything I’ve found so far only concerns MySQL injection, which doesn’t apply in this case.
If you’re not using a database, then obviously SQL injection is not a concern for your. Similarly, if you don’t store any user-submitted data to display to other users, Cross-site-scripting is not a concern. That leaves stuff like
eval()or running external processes, which an attacker could subvert, but it doesn’t sound like you do anything like that either.So you’re probably safe. Still, it would be good to have a minimum amount of error checking, just to get into the habit. For example, you say that you have an integer GET parameter. There’s no such thing – all HTTP parameters are implicity strings. PHP blurs the distinction, but you definitely should cast it to int explicitly to make sure it’s not some string intended to exploit an XSS, SQL injection or eval vulnerability (even if none such exist).