Andy17 Posted June 13, 2009 Share Posted June 13, 2009 Hey, I'm making a simple referal system by using the GET method. I have this code: <select name="refer" /> <option>No one</option> <option<?php if ($_GET['ref'] == "someone1") { echo ' selected'; } ?>>ref1</option> <option<?php if ($_GET['ref'] == "someone2") { echo ' selected'; } ?>>ref2</option> </select> I just want to ask if any security precautions are needed when the information obtained from the URL is never printed and just used in an if statement. I personally don't see how it would be unsafe, but then again, I'm no bug exploiter, nor am I a great coder... Yet! Thanks! Quote Link to comment Share on other sites More sharing options...
jxrd Posted June 13, 2009 Share Posted June 13, 2009 That's absolutely fine. Quote Link to comment Share on other sites More sharing options...
cunoodle2 Posted June 13, 2009 Share Posted June 13, 2009 Whenever you are using something with a "get" variable (or any variable for that reason) you should always lay out very defined rules to make sure what you want to happens happens. For example the following code WOULD be flawed.. <?php <select name="refer" /> <option>No one</option> <option<?php if isset($_GET['ref']) { echo $_GET['ref']; } ?>>ref1</option> </select> ?> Do you see the difference between my bad code above and your good code? To further elaborate you are only give the user 1 PREDEFINED choice. Either you are printing "selected" to the screen or not. In my terrible example I'm just outputting whatever was in the "ref" variable to the screen without actually checking anything. For the most part if you want to be safe try to (as much as physically possible) echo your OWN values to the screen as apposed to that of the values them selves. This is only possible a small portion of the time but do it as much as you can. Something like this... <?php switch ($_GET['ref']) { case 1: echo "1"; break; case "index.php": echo "home page"; break; case "admin": echo "Secure page"; break; default: echo "ERROR in your input"; break; } ?> Hopefully that helps and doesn't confuse the situation. Quote Link to comment Share on other sites More sharing options...
Andy17 Posted June 13, 2009 Author Share Posted June 13, 2009 I believe I understand what you are saying and it is a useful tip. Thank you both for your replies! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.