securing $_GET variables

Reaper0167 · June 25, 2009

I found this little snippet online. Is this a safe way to keep others from messing with my url variables?

<?php
$allow = array('pageid', 'sectionid', 'articleid');

foreach($_GET as $key => $value)
{
    $valid = false;
    foreach($allow as $key_allow => $value_allow)
    { 
        if($key==$value_allow)
        {
            $valid = true;
        }
    }

    if($valid==false)
    {
        header('location:errorpage.php');
        exit();
    }
}
?>

Alex · June 25, 2009

Yup, it makes sure that the values for the $_GET array are in your array of valid values.

.josh · June 25, 2009

That's fine, yes. It's called a whitelist. But, you can just make use of in_array to make that more efficient and less long-winded.

For one thing, not really sure why you are looping through the $_GET array, as you probably are only passing and using just one, to signify some page id, right? So just refer to it explicitly instead of using a whole foreach loop. Then you can get rid of the nested foreach loop with that in_array so overall you'd just have this:

$allow = array('pageid', 'sectionid', 'articleid');

if (!in_array($_GET['variable'],$allow)) {
  header('location:errorpage.php');
  exit();
}

It's in essence the same principle of whitelisting, just written more efficiently.

Reaper0167 · June 25, 2009

So by doing something along these lines, I really shouldn't worry too much about hackers coming in to change things up with the GET vars? I'm not into the PHP hacking stuff, but couldn't someone still change something, or if they were up to something, would there attack script still see that the only variable that were allowed were the ones in the array?

.josh · June 25, 2009

someone can change your GET vars to whatever they want but if the value is not in the whitelist, it's invalid, and that's all there is to it. But it obviously depends on what kind of values you are expecting as to the effectiveness of a whitelist. It is not really efficient or even possible to make an array of "allowed" values if for instance the value can be a number. So you have to just validate it, like anything else. So in other words, a whitelist is a very effective way to validate some values/situations, but it's just one thing, and it really depends on the situation.

Reaper0167 · June 25, 2009

Well, one page grabs the id number of a certain row in the database with $_GET, so that would be a number, and there could be hundreds, maybe thousands of numbers. What would you suggest for a situation like this? Then the oher would be that I use $_GET to retrieve a url variable. And that url could always be different.

.josh · June 25, 2009

// example 1
if (!ctype_digit($_GET['variable'])) {
  // not a number
}

// example 2
if (!preg_match('~^[0-9]+$~',$_GET['variable'])) {
  // not a number
}

// example 3
$id = (int) $_GET['variable'];

Reaper0167 · June 25, 2009

I don't want to ask too many questions, but in the examples, your saying that if it is not a digit, then give an error?

.josh · June 25, 2009

yes. That's what you want, right?

Sign In

securing $_GET variables

Recommended Posts

Reaper0167

Link to comment

Share on other sites

Alex

Link to comment

Share on other sites

.josh

Link to comment

Share on other sites

Reaper0167

Link to comment

Share on other sites

.josh

Link to comment

Share on other sites

Reaper0167

Link to comment

Share on other sites

.josh

Link to comment

Share on other sites

Reaper0167

Link to comment

Share on other sites

.josh

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information