Jump to content

$_GET


hamza

Recommended Posts

hamza,

 

    Don't use them.  :D

 

    On the other hand, for every $_GET value you want to pass to a subsequent page, there's always $_SESSION vars.

 

Scot L. Diddle, Richmond VA

 

Link to comment
Share on other sites

I wouldn't suggest not using them... $_GET and $_SESSION both have their place. $_GETs are useful for passing information to a page via a link so  your pages can be more dynamic for example (just 1 of many uses). doing something similar with sessions would be buggy and much less clean.

 

As far as protecting values goes, if you use the values in queries, always remember to use mysql_real_escape_string() on string input (assuming you aren't hashing it)

for numeric values (or rather, values you expect to be numeric, like id's), always cast them as ints, to avoid getting strings which could contain nasty injections. Restricting the length of your $_GET values can help too (like Id's are never longer than 10 characters or something.)

 

sanitizing input is very important, but not always clear cut and straight forward. Think about what kind of information would be valid for your $_GET values, and check them according to that. If you want to get fancy, using regex to detect valid patterns would help also (like detecting a valid email string)

Link to comment
Share on other sites

mikesta707,

 

    I wasn't advocating not using $_GET, as they certainly have their place.

 

    I was answering hamza's specific question :

 

how i can protect 101% GET method values.???

 

I disagree, however that session vars are buggy.  They are widely used and an accepted normal PHP practice.

 

 

Scot L. Diddle, Richmond VA

Link to comment
Share on other sites

Ahh I thought I had misunderstood, but posted that anyways.

 

I wasn't saying that session vars are buggy. I use them all the time, and of course know that they are standard and all that jazz. But trying to use session vars to emulate sending data though a link with get variables would be very buggy (which is what i originally thought you were trying to say) if at all possible.

 

However, I don't quite understand what you meant by your suggestion. specifically the don't use them part.

Link to comment
Share on other sites

mikesta707,

 

    My understanding of hamza's questions is that he was trying to determine how to prevent users from either "seeing" or "hacking * " a url with a $_GET string.  As far as I know, that is not possible.

 

Scot L. Diddle

 

* By "hacking" I mean intercepting the url and replacing values with data other than what the programmer intended.  Whereas the $_GET string is visible at submit time, users CAN try to change the values, by copying the url and over-typing the values, then sending it on it's merry way with new values included.

 

Link to comment
Share on other sites

thanks you so much all

for your suggestion and time.

actually when user click on product i should need

to pass the product id as a product link

so i can show all details of product on next page.

i need to validation that product id fully.

so anyone can not disterb or change.

 

Link to comment
Share on other sites

You cannot keep people from changing $_GET variables.  You can sanitize them to the best of your ability, but someone can always type in something different.

 

With a variable that changes alot (product ids), you run into more problems in sanitation.  Namely, the more strict the sanitation, the more limited you are when adding product Id's.  If you have a product Id 129874321, and part of your sanitation includes (int)$_GET['product_id'].  You have just lost the ability to add a product with the id of 129874321b.

 

Just keep in mind that your script needs to be written as secure as possible, but with the ability to expand for future use.  You don't want to have to re-write a script, just to add a product id.

Link to comment
Share on other sites

For stings, you can do things like stripping white space and removing HTML, but mostly you'll just need to escape the string. If you're using a MySQL database and need to query with the product's ID, using mysql_real_escape_string() will help.

 

If you're using just numbers for your product ID, casting the $_GET['product_id'] as in int, with (int)$_GET['product_id'] will tell PHP to to simplify the string into an integer. If you're only passing numbers then this prevents a potential hacker/user from putting in anything but numbers.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.