Security on $_GET variables?

[JJohnsenDK]

Hey

 

I just want to know what security you guys use on $_GET variables and/or if security even is necessary with $_GET variables?

 

JJohnsenDK

[shocker-z]

It depends what your using it to do?? i mean the standard is using stuff like mysql_real_escape_string() for inserting just data but if your using GET for like yoursite.com/index.php?page=links then you will also want to check that file exists and use absolute paths so that no-one can include system files and view them.

 

Just my 2 pence

 

Regards

Liam

[JJohnsenDK]

im using it in the URL, so i try with the file exists function, but plz tell me more about the absolute paths? im not familiar with that...

[shocker-z]

I mena in the way of using

 

 

 

if (file_exists('/home/webroot/includes/'.$_GET['page']) {

include('/home/webroot/includes/'.$_GET['page']);

}

 

because if you just use

 

if (file_exists($_GET['page']) {

include($_GET['page']);

}

 

Then if i type in your site www.yoursite.com/index.php?page=/home/webroot/.htaccess

 

Then in theory if thast existed then it would display it on your page and same goes for any other location (Just an example)

 

 

Liam

[JJohnsenDK]

Aaah... allright i getting your point and thanks for helping out.

 

What if i use the $_GET variable to select something in the database?

 

like this:

 

("SELECT image FROM album WHERE image_id = '$_GET['id']'");

 

any security i should use here?

[fert]

any security i should use here?

mysql_real_escape_string

[JJohnsenDK]

oh yeah ofcause sorry... forgot the first reply  ...

 

Thanks for helping out..