Jump to content

[SOLVED] Quick GET question

Andy17

By Andy17
in PHP Coding Help

 Share

Recommended Posts

Andy17 Regular Member

Andy17

Posted
Posted

Hey,

 

I'm making a simple referal system by using the GET method. I have this code:

 


<select name="refer" />
<option>No one</option>
<option<?php if ($_GET['ref'] == "someone1") { echo ' selected'; } ?>>ref1</option>
<option<?php if ($_GET['ref'] == "someone2") { echo ' selected'; } ?>>ref2</option>
</select>

 

I just want to ask if any security precautions are needed when the information obtained from the URL is never printed and just used in an if statement. I personally don't see how it would be unsafe, but then again, I'm no bug exploiter, nor am I a great coder... Yet! :)

 

Thanks!

Link to comment
Share on other sites
cunoodle2 Member

cunoodle2

Posted
Posted

Whenever you are using something with a "get" variable (or any variable for that reason) you should always lay out very defined rules to make sure what you want to happens happens.  For example the following code WOULD be flawed..

 

<?php
<select name="refer" />
<option>No one</option>
<option<?php if isset($_GET['ref']) { echo $_GET['ref']; } ?>>ref1</option>
</select>
?>

 

Do you see the difference between my bad code above and your good code?  To further elaborate you are only give the user 1 PREDEFINED choice.  Either you are printing "selected" to the screen or not.  In my terrible example I'm just outputting whatever was in the "ref" variable to the screen without actually checking anything.

 

For the most part if you want to be safe try to (as much as physically possible) echo your OWN values to the screen as apposed to that of the values them selves.  This is only possible a small portion of the time but do it as much as you can.  Something like this...

 

<?php
switch ($_GET['ref']) {
    case 1:
        echo "1";
        break;
    case "index.php":
        echo "home page";
        break;
    case "admin":
        echo "Secure page";
        break;
    default:
        echo "ERROR in your input";
        break;
}
?>

 

Hopefully that helps and doesn't confuse the situation.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.