Jump to content

Recommended Posts

Hey guys,

So I wanted to know what security measures I would have to take when retrieving user information from the database with the $_GET method. The $_Get would be the user_id so do I need to add some if statements to make sure its an integer, not empty etc. And what function would I use for in case of the user attempts to break the website by changing the url with commas,malicious code, etc. 

Link to comment
https://forums.phpfreaks.com/topic/294815-php-_get-security/
Share on other sites

 

The $_Get would be the user_id so do I need to add some if statements to make sure its an integer

Yes that is what you will need to do. If the id should be a number then you must make sure it is a number before you use it in your query. You can use the function is_numeric to check to see if it is in a number. Then I would use intval when you to use it.

if(isset($_GET['id']) && is_numeric($_GET['id']))
{
   $id = intval($_GET['id']);

   ...
}
else
{
    // id is not provided or is not numeric
}

 

And what function would I use for in case of the user attempts to break the website by changing the url with commas,malicious code, etc.

 If the id is not an integer then do not use it. Either issue a 404 error message or a generic error message informing the user the id is invalid

Link to comment
https://forums.phpfreaks.com/topic/294815-php-_get-security/#findComment-1506459
Share on other sites

Rather then passing sensitive data between scripts using $_GET vars, I would suggest setting a session variable.  Note the session_start() in both scripts.

/* SCRIPT 1 
* initial script instantiates user id var 
* db query gets the users name and id, then assigns it to a session var
*/
session_start();
//later in code after db query...
$_SESSION['user']['userID'] = $userId;
$_SESSION['user']['userName'] = $userName;

Now the next script that requires the users ID

/* SCRIPT 2
* assign users name and id to local variables
* now script 2 has the name and id
*/
session_start();
$userId = $_SESSION['user']['userID'];
$userName = $_SESSION['user']['userName'];

Edited by rwhite35
Link to comment
https://forums.phpfreaks.com/topic/294815-php-_get-security/#findComment-1506530
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.