$_GET safety

[SirChick]

Hey guys,

 

Have a question about $_GET. If a page doesn't use the function at all and a user edits the url to try to break the page so say they put:

text.php?3231

 

Then the site url changes it to:

 

text.php?%3221

 

Is that considered safe? Or should it be wiser to clear it so that it goes to "text.php" ? I am not sure if the % is meant to happen ?

[trq]

If your script isn't expecting any get variables it won't care if there is any. This is another reason register_globals is now depricated.

 

Extra variables within the url should have no effect unless your server is misconfigured. I have been able to get access to source code on occasion by using index.php?~

[SirChick]

So how come it adds the % symbol to the url? Does it do that for a reason ?

[trq]

How are you getting that result?

[SirChick]

It does it almost 100% of the time if i put:

 

text.php?'"

 

that becomes:

 

text.php?'%22

[Daniel0]

That's just because " is encoded to %20. Example: http://www.google.com/search?q=%22test%22 is a search on Google for "test".