$_GET['']

raptor30506090 · September 1, 2011

Hello can any one help me with this question iv only just started to use the get function like

<code>

if (isset($_GET['pageID'])){

echo $row['content'];

}

</code>

can any one if me info how to make it safe

trq · September 1, 2011

$_GET is an array not a function. there is nothing inherently unsafe about it.

AyKay47 · September 1, 2011

what exactly do you mean here by "safe".?

George Botley · September 1, 2011

If you intend to use the GET function primarily for database queries, be careful what take from it.

Don't be prone to what is known as injection, whereby a database can be fooled into thinking it is being provided with correct information, when it clearly isn't.

We would need to see the rest of your script associated with $row[] to see how you are making use of it.

George.

flappy_warbucks · September 1, 2011

Personally, i would never use get or post methods 'out the box' as it where.

On all my sites, i have a preload class that takes care of all post, and get variables (checks existence, sanitizes etc), and then i reference them variables from that class. It makes this type of thing easier as i don't have pages of code sanitizing input as it's already been done. As an example:

if (isset($preload->gets['pageID']))
{
    // do whatever here.
}

// compared to:

if (isset($_GET['pageID']))
{
    $pageID = mysql_real_escape_string(str_replace(" ","_",$_GET['pageID'])); // or use add_slashes().
    
    // if the value is numeric then you have to do more checks.  And even more if you have passed a string.
}

tastro · September 1, 2011

also the easiest way to prevent "hackers" from doing stupid things via $_GET is to simply add an char restriction on it. so that you define which chars should be allowed to input and which ones not. or at least addslashes() before you put the $_GET into your database.

cyberRobot · September 1, 2011

also the easiest way to prevent "hackers" from doing stupid things via $_GET is to simply add an char restriction on it. so that you define which chars should be allowed to input and which ones not. or at least addslashes() before you put the $_GET into your database.

mysql_real_escape_string() is what you want to use before utilizing variables to interacte with a database:

http://php.net/manual/en/function.mysql-real-escape-string.php

That and validating the data.

tastro · September 1, 2011

also the easiest way to prevent "hackers" from doing stupid things via $_GET is to simply add an char restriction on it. so that you define which chars should be allowed to input and which ones not. or at least addslashes() before you put the $_GET into your database.

mysql_real_escape_string() is what you want to use before utilizing variables to interacte with a database:

http://php.net/manual/en/function.mysql-real-escape-string.php

That and validating the data.

that only helps if he uses mysql as his database.

KevinM1 · September 1, 2011

also the easiest way to prevent "hackers" from doing stupid things via $_GET is to simply add an char restriction on it. so that you define which chars should be allowed to input and which ones not. or at least addslashes() before you put the $_GET into your database.

mysql_real_escape_string() is what you want to use before utilizing variables to interacte with a database:

http://php.net/manual/en/function.mysql-real-escape-string.php

That and validating the data.

that only helps if he uses mysql as his database.

If it's not, then he should use the correct escaping method used by his database. Or, parameterized queries. addslashes does nothing for security.

tastro · September 1, 2011

also the easiest way to prevent "hackers" from doing stupid things via $_GET is to simply add an char restriction on it. so that you define which chars should be allowed to input and which ones not. or at least addslashes() before you put the $_GET into your database.

mysql_real_escape_string() is what you want to use before utilizing variables to interacte with a database:

http://php.net/manual/en/function.mysql-real-escape-string.php

That and validating the data.

that only helps if he uses mysql as his database.

If it's not, then he should use the correct escaping method used by his database. Or, parameterized queries. addslashes does nothing for security.

ye... still the best way i think is that he defines which chars can be inputed and which not. with preg_match or preg_replace

example for preg_match - also if it matches some chars which are not allowed then the script should stop

if(preg_match("@[^a-z0-9]@i",$your_string)){die('ERROR: only this chars are allowed: a-z and 0-9');}

or just simply preg_replace without an error.

cyberRobot · September 1, 2011

ye... still the best way i think is that he defines which chars can be inputed and which not. with preg_match or preg_replace

Yep, that's what I was hinting at the "validating the data." part. Of course, it's a little difficult to tell what type of validation is needed with the code provided.

flappy_warbucks · September 1, 2011

if(preg_match("@[^a-z0-9]@i",$your_string)){die('ERROR: only this chars are allowed: a-z and 0-9');}
or just simply preg_replace without an error.

Personally, i would not give such a specific error. Especially if the link was auto-generated.

The only thing i use get for is navigation. So this means i only use numbers (which for me is easy to sanitize):

if (strlen($preload->gets['pageID']) > 2 && !is_numeric($preload->gets['pageID']))
{
    // no information.  Just a "Whoops, i made a boo boo".
    $errors->compile_report($_SERVER['PHP_SELF']); // this will call all global vars, and output an error log.  Then forward the user to a error page with a reference number.
}

If i can help it. I never give off any information as to what the script was expecting.

I love OOP. It just makes life easier

tastro · September 1, 2011

if(preg_match("@[^a-z0-9]@i",$your_string)){die('ERROR: only this chars are allowed: a-z and 0-9');}
or just simply preg_replace without an error.
Personally, i would not give such a specific error. Especially if the link was auto-generated.

The only thing i use get for is navigation. So this means i only use numbers (which for me is easy to sanitize):
if (strlen($preload->gets['pageID']) > 2 && !is_numeric($preload->gets['pageID']))
{
    // no information.  Just a "Whoops, i made a boo boo".
    $errors->compile_report($_SERVER['PHP_SELF']); // this will call all global vars, and output an error log.  Then forward the user to a error page with a reference number.
}
If i can help it. I never give off any information as to what the script was expecting.

I love OOP. It just makes life easier

it depends on where you need the script. if this is a "create a new user page" then the error should be displayed so that the user knows what he did wrong, but like you said, if this is something like a "hidden" input then it's better without an error yes.

raptor30506090 · September 1, 2011

Thank you all for fast reply it all helped

Sign In

$_GET['']

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information