$_GET Method Security

[phprocker]

Hey all. I have a question or two about securing pages that use $_GET method.  $_POST I have a good grasp on but $_GET has some different issues.

 

If I have a switch that calls on the url to display a proper page, do I need to sanitize that variable before passing it to the switch?

 

Example:

 

URL = www.example.com/index.php?page=calendar

 

// see comments

$url = $_GET['page'];

// Is this $url variable safe in my script or is there needed sanitation?
switch ($url)
{
case "calendar":
	include "views/calendar.php";
	break;
default:
	include "views/main.php";
}

 

I was reading about XSS and I had some questions. Can someone just pass a function to the url like mail() and start sending mail from my web page in the above example or steal cookies or anything else? I'm referring to my example above.

 

Is there any good reading around on the topic of $_GET and security?

 

Cheers all!

 

[plznty]

Any user input needs to be restricted, use the same methods as you would for post

[PFMaBiSmAd]

All external data, $_GET, $_POST, $_COOKIE, $_FILES, and some $_SERVER variables, can contain ANYTHING and must be validated.

 

By using a SWITCH/CASE statement, you are validating that the value is only one of the choices you have listed in the CASE statements.

 

IF you were putting the value into a string to form a file name/file path to use in the include statement and the value has not been validated, someone can cause your code to include any file on your server and if the php.ini settings that permit URL's to be used in the include statement are ON, remote code can be included and executed on your server. Since the code you posted is NOT doing this, that code is safe and will only include the file that you have listed in the code.