hamza Posted April 2, 2010 Share Posted April 2, 2010 $_GET how i can protect 101% GET method values.??? possible soultions Quote Link to comment Share on other sites More sharing options...
ScotDiddle Posted April 2, 2010 Share Posted April 2, 2010 hamza, Don't use them. On the other hand, for every $_GET value you want to pass to a subsequent page, there's always $_SESSION vars. Scot L. Diddle, Richmond VA Quote Link to comment Share on other sites More sharing options...
jcbones Posted April 2, 2010 Share Posted April 2, 2010 unset($_GET); Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted April 2, 2010 Share Posted April 2, 2010 I wouldn't suggest not using them... $_GET and $_SESSION both have their place. $_GETs are useful for passing information to a page via a link so your pages can be more dynamic for example (just 1 of many uses). doing something similar with sessions would be buggy and much less clean. As far as protecting values goes, if you use the values in queries, always remember to use mysql_real_escape_string() on string input (assuming you aren't hashing it) for numeric values (or rather, values you expect to be numeric, like id's), always cast them as ints, to avoid getting strings which could contain nasty injections. Restricting the length of your $_GET values can help too (like Id's are never longer than 10 characters or something.) sanitizing input is very important, but not always clear cut and straight forward. Think about what kind of information would be valid for your $_GET values, and check them according to that. If you want to get fancy, using regex to detect valid patterns would help also (like detecting a valid email string) Quote Link to comment Share on other sites More sharing options...
ScotDiddle Posted April 2, 2010 Share Posted April 2, 2010 mikesta707, I wasn't advocating not using $_GET, as they certainly have their place. I was answering hamza's specific question : how i can protect 101% GET method values.??? I disagree, however that session vars are buggy. They are widely used and an accepted normal PHP practice. Scot L. Diddle, Richmond VA Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted April 2, 2010 Share Posted April 2, 2010 Ahh I thought I had misunderstood, but posted that anyways. I wasn't saying that session vars are buggy. I use them all the time, and of course know that they are standard and all that jazz. But trying to use session vars to emulate sending data though a link with get variables would be very buggy (which is what i originally thought you were trying to say) if at all possible. However, I don't quite understand what you meant by your suggestion. specifically the don't use them part. Quote Link to comment Share on other sites More sharing options...
ScotDiddle Posted April 2, 2010 Share Posted April 2, 2010 mikesta707, My understanding of hamza's questions is that he was trying to determine how to prevent users from either "seeing" or "hacking * " a url with a $_GET string. As far as I know, that is not possible. Scot L. Diddle * By "hacking" I mean intercepting the url and replacing values with data other than what the programmer intended. Whereas the $_GET string is visible at submit time, users CAN try to change the values, by copying the url and over-typing the values, then sending it on it's merry way with new values included. Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted April 2, 2010 Share Posted April 2, 2010 Ahh i must have misunderstood, I figured he was asking about sanitizing $_GET values, not hiding them. Everything makes sense now Quote Link to comment Share on other sites More sharing options...
hamza Posted April 3, 2010 Author Share Posted April 3, 2010 thanks you so much all for your suggestion and time. actually when user click on product i should need to pass the product id as a product link so i can show all details of product on next page. i need to validation that product id fully. so anyone can not disterb or change. Quote Link to comment Share on other sites More sharing options...
jcbones Posted April 3, 2010 Share Posted April 3, 2010 You cannot keep people from changing $_GET variables. You can sanitize them to the best of your ability, but someone can always type in something different. With a variable that changes alot (product ids), you run into more problems in sanitation. Namely, the more strict the sanitation, the more limited you are when adding product Id's. If you have a product Id 129874321, and part of your sanitation includes (int)$_GET['product_id']. You have just lost the ability to add a product with the id of 129874321b. Just keep in mind that your script needs to be written as secure as possible, but with the ability to expand for future use. You don't want to have to re-write a script, just to add a product id. Quote Link to comment Share on other sites More sharing options...
ialsoagree Posted April 3, 2010 Share Posted April 3, 2010 For stings, you can do things like stripping white space and removing HTML, but mostly you'll just need to escape the string. If you're using a MySQL database and need to query with the product's ID, using mysql_real_escape_string() will help. If you're using just numbers for your product ID, casting the $_GET['product_id'] as in int, with (int)$_GET['product_id'] will tell PHP to to simplify the string into an integer. If you're only passing numbers then this prevents a potential hacker/user from putting in anything but numbers. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.