Jump to content

PHP $_GET Security


phpforfun

Recommended Posts

Hey guys,

So I wanted to know what security measures I would have to take when retrieving user information from the database with the $_GET method. The $_Get would be the user_id so do I need to add some if statements to make sure its an integer, not empty etc. And what function would I use for in case of the user attempts to break the website by changing the url with commas,malicious code, etc. 

Link to comment
https://forums.phpfreaks.com/topic/294815-php-_get-security/
Share on other sites

 

The $_Get would be the user_id so do I need to add some if statements to make sure its an integer

Yes that is what you will need to do. If the id should be a number then you must make sure it is a number before you use it in your query. You can use the function is_numeric to check to see if it is in a number. Then I would use intval when you to use it.

if(isset($_GET['id']) && is_numeric($_GET['id']))
{
   $id = intval($_GET['id']);

   ...
}
else
{
    // id is not provided or is not numeric
}

 

And what function would I use for in case of the user attempts to break the website by changing the url with commas,malicious code, etc.

 If the id is not an integer then do not use it. Either issue a 404 error message or a generic error message informing the user the id is invalid

Link to comment
https://forums.phpfreaks.com/topic/294815-php-_get-security/#findComment-1506459
Share on other sites

Rather then passing sensitive data between scripts using $_GET vars, I would suggest setting a session variable.  Note the session_start() in both scripts.

/* SCRIPT 1 
* initial script instantiates user id var 
* db query gets the users name and id, then assigns it to a session var
*/
session_start();
//later in code after db query...
$_SESSION['user']['userID'] = $userId;
$_SESSION['user']['userName'] = $userName;

Now the next script that requires the users ID

/* SCRIPT 2
* assign users name and id to local variables
* now script 2 has the name and id
*/
session_start();
$userId = $_SESSION['user']['userID'];
$userName = $_SESSION['user']['userName'];

Link to comment
https://forums.phpfreaks.com/topic/294815-php-_get-security/#findComment-1506530
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.