$_GET safety

SirChick · January 20, 2008

Hey guys,

Have a question about $_GET. If a page doesn't use the function at all and a user edits the url to try to break the page so say they put:

text.php?3231

Then the site url changes it to:

text.php?%3221

Is that considered safe? Or should it be wiser to clear it so that it goes to "text.php" ? I am not sure if the % is meant to happen ?

trq · January 20, 2008

If your script isn't expecting any get variables it won't care if there is any. This is another reason register_globals is now depricated.

Extra variables within the url should have no effect unless your server is misconfigured. I have been able to get access to source code on occasion by using index.php?~

SirChick · January 20, 2008

So how come it adds the % symbol to the url? Does it do that for a reason ?

trq · January 20, 2008

How are you getting that result?

SirChick · January 20, 2008

It does it almost 100% of the time if i put:

text.php?'"

that becomes:

text.php?'%22

Daniel0 · January 20, 2008

That's just because " is encoded to %20. Example: http://www.google.com/search?q=%22test%22 is a search on Google for "test".

Sign In

$_GET safety

Recommended Posts

SirChick

Link to comment

Share on other sites

trq

Link to comment

Share on other sites

SirChick

Link to comment

Share on other sites

trq

Link to comment

Share on other sites

SirChick

Link to comment

Share on other sites

Daniel0

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information