$_GET security measures

[arpowers]

Hey everyone,

what are the security measures I should use when using $_GET values for page navigation and in queries?

 

for instance in a messaging system...

$thread_id = $_GET['id'];
function GetMessage($thread_id){
		$query = "SELECT msg_id, thread_id, from_id, from_type,...
		 			FROM tbl_mailbox_messages
					WHERE	(thread_id ={$thread_id}....
(you get the idea)

 

should I be running these values through a function to make sure their clean, or is something like this this already safe?

[pocobueno1388]

You definitely need to be using mysql_real_escape_string on it, as the person can type whatever they want into the URL. You should also make sure it is a numeric value.

[Ninjakreborn]

For that kind of variable security is very important.  You probably want to use regex or C-Type to make SURE it's a number with NO extra characters.

[arpowers]

thanks.! another question...

 

what about making sure that this thread has something to do with the user...

i.e. what do you do to prevent somebody from inputting a number in the url and accessing somebody else's thread...

[Ninjakreborn]

You have to grab THAT user's ID inside a SESSION.  Do that when they login,and let the session

$_SESSION['id'] get grabbed instead of letting them put it in. YOu can have it grab the session (don't forget

to clean it) from behind the scenes.

It will be there id number.

[pocobueno1388]

You use a database to keep track of whos is what, then you use PHP to control it. I would suggest you start learning instead of asking a bunch of questions right now, these questions will all become obvious once get far enough into PHP.