Securing the $_GET command

[barefootsanders]

Hey guys.  I've been programing a PHP based game and all over my site I have strings like $userid =  $_GET['userid'].  Then based on that variable I run the function from the database class, $database->getUserInfo($userid); which will return an array with all the users info from the database based on the $userid.  I've heard this is not very secure so I was hoping someone could point me in the right direction as to secure it.  I have lots of these type of things around my site in order to return arrays of information regarding a particular information.  Thanks in advance for any help!

[HeyRay2]

This is a function I've been using for quite some time to ensure all $_GET variables I'm using in SQL queries are safe from injection attacks:

 

// Quote variable to make safe for use in MySQL queries
function quoteSmart($value)
{
   // Trim whitespace
   $value = trim($value);

   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
   $value = mysql_real_escape_string($value);
   }
   return $value;
}

 

So to make your $_GET['userid'] variable safe just do:

 

$userid =  quoteSmarty($_GET['userid']);

[barefootsanders]

This is a function I've been using for quite some time to ensure all $_GET variables I'm using in SQL queries are safe from injection attacks:

 

// Quote variable to make safe for use in MySQL queries
function quoteSmart($value)
{
   // Trim whitespace
   $value = trim($value);

   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
   $value = mysql_real_escape_string($value);
   }
   return $value;
}

 

So to make your $_GET['userid'] variable safe just do:

 

$userid =  quoteSmarty($_GET['userid']);

 

I've seen the functions get_magc_quotes_gpc() and mysql_real_escape_string() before but I am unsure what they do.  I've read up on php.net but its kind of hard to understand.  Could you just elaborate on what it is exactly doing?  Thanks a bunch though!

[Hughesy1986]

I would just use this. It will strip html tags and slash out any sql injetions

 

<?php

function clean($var)
{
$var = addslashes(strip_tags($var));
return $var;
}
?>

[marcus]

This is a function I've been using for quite some time to ensure all $_GET variables I'm using in SQL queries are safe from injection attacks:

 

// Quote variable to make safe for use in MySQL queries
function quoteSmart($value)
{
   // Trim whitespace
   $value = trim($value);

   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
   $value = mysql_real_escape_string($value);
   }
   return $value;
}

 

So to make your $_GET['userid'] variable safe just do:

 

$userid =  quoteSmarty($_GET['userid']);

 

You should't do that, for the most part it won't work.

 

$userid = $_GET['userid'];
quoteSmarty($userid);

[HeyRay2]

Okay then... ???

 

Apart from my typo on the quoteSmart() function name, why won't this work?

 

$userid = quoteSmart($_GET['userid']);

 

... and tell me how this will work ...

 

$userid = $_GET['userid'];
quoteSmart($userid);

 

The function is returning a value, meaning that in order to use the function you have to use it to either populate a variable, echo it, or use it in another function as an argument.

 

???

[marcus]

Oh, your function works, but predefining it within the variable will eliminate the definition.

[HeyRay2]

Oh, your function works, but predefining it within the variable will eliminate the definition.

 

??? I have no idea what you mean by that...

 

I wasn't defining it in the variable. I was using the function as a way to define the value for the variable. I would assume that this function would already be defined somewhere in a users script before trying to use it.