phpforfun Posted February 22, 2015 Share Posted February 22, 2015 Hey guys, So I wanted to know what security measures I would have to take when retrieving user information from the database with the $_GET method. The $_Get would be the user_id so do I need to add some if statements to make sure its an integer, not empty etc. And what function would I use for in case of the user attempts to break the website by changing the url with commas,malicious code, etc. Quote Link to comment https://forums.phpfreaks.com/topic/294815-php-_get-security/ Share on other sites More sharing options...
Ch0cu3r Posted February 22, 2015 Share Posted February 22, 2015 The $_Get would be the user_id so do I need to add some if statements to make sure its an integer Yes that is what you will need to do. If the id should be a number then you must make sure it is a number before you use it in your query. You can use the function is_numeric to check to see if it is in a number. Then I would use intval when you to use it. if(isset($_GET['id']) && is_numeric($_GET['id'])) { $id = intval($_GET['id']); ... } else { // id is not provided or is not numeric } And what function would I use for in case of the user attempts to break the website by changing the url with commas,malicious code, etc. If the id is not an integer then do not use it. Either issue a 404 error message or a generic error message informing the user the id is invalid Quote Link to comment https://forums.phpfreaks.com/topic/294815-php-_get-security/#findComment-1506459 Share on other sites More sharing options...
NotionCommotion Posted February 23, 2015 Share Posted February 23, 2015 Why not just used a prepared statement? It will either match a record or will not regardless of data type. Quote Link to comment https://forums.phpfreaks.com/topic/294815-php-_get-security/#findComment-1506488 Share on other sites More sharing options...
rwhite35 Posted February 23, 2015 Share Posted February 23, 2015 (edited) Rather then passing sensitive data between scripts using $_GET vars, I would suggest setting a session variable. Note the session_start() in both scripts. /* SCRIPT 1 * initial script instantiates user id var * db query gets the users name and id, then assigns it to a session var */ session_start(); //later in code after db query... $_SESSION['user']['userID'] = $userId; $_SESSION['user']['userName'] = $userName; Now the next script that requires the users ID /* SCRIPT 2 * assign users name and id to local variables * now script 2 has the name and id */ session_start(); $userId = $_SESSION['user']['userID']; $userName = $_SESSION['user']['userName']; Edited February 23, 2015 by rwhite35 Quote Link to comment https://forums.phpfreaks.com/topic/294815-php-_get-security/#findComment-1506530 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.