PHP $_GET Security

[phpforfun]

Hey guys,

So I wanted to know what security measures I would have to take when retrieving user information from the database with the $_GET method. The $_Get would be the user_id so do I need to add some if statements to make sure its an integer, not empty etc. And what function would I use for in case of the user attempts to break the website by changing the url with commas,malicious code, etc. 

[Ch0cu3r]

 

The $_Get would be the user_id so do I need to add some if statements to make sure its an integer

Yes that is what you will need to do. If the id should be a number then you must make sure it is a number before you use it in your query. You can use the function is_numeric to check to see if it is in a number. Then I would use intval when you to use it.

if(isset($_GET['id']) && is_numeric($_GET['id']))
{
   $id = intval($_GET['id']);

   ...
}
else
{
    // id is not provided or is not numeric
}

 

And what function would I use for in case of the user attempts to break the website by changing the url with commas,malicious code, etc.

 If the id is not an integer then do not use it. Either issue a 404 error message or a generic error message informing the user the id is invalid

[NotionCommotion]

Why not just used a prepared statement?  It will either match a record or will not regardless of data type.

[rwhite35]

Rather then passing sensitive data between scripts using $_GET vars, I would suggest setting a session variable.  Note the session_start() in both scripts.

/* SCRIPT 1 
* initial script instantiates user id var 
* db query gets the users name and id, then assigns it to a session var
*/
session_start();
//later in code after db query...
$_SESSION['user']['userID'] = $userId;
$_SESSION['user']['userName'] = $userName;

Now the next script that requires the users ID

/* SCRIPT 2
* assign users name and id to local variables
* now script 2 has the name and id
*/
session_start();
$userId = $_SESSION['user']['userID'];
$userName = $_SESSION['user']['userName'];