Jump to content

$_GET['']

raptor30506090

By raptor30506090
in PHP Coding Help

 Share

Recommended Posts

George Botley Member

George Botley

Posted
Posted

If you intend to use the GET function primarily for database queries, be careful what take from it.

 

 

Don't be prone to what is known as injection, whereby a database can be fooled into thinking it is being provided with correct information, when it clearly isn't.

 

 

We would need to see the rest of your script associated with $row[] to see how you are making use of it.

 

 

George.

 

 

 

 

Link to comment
Share on other sites
flappy_warbucks Newbie

flappy_warbucks

Posted
Posted

Personally, i would never use get or post methods 'out the box' as it where.

 

On all my sites, i have a preload class that takes care of all post, and get variables (checks existence, sanitizes etc), and then i reference them variables from that class.  It makes this type of thing easier as i don't have pages of code sanitizing input as it's already been done.  As an example:

 

if (isset($preload->gets['pageID']))
{
    // do whatever here.
}

// compared to:

if (isset($_GET['pageID']))
{
    $pageID = mysql_real_escape_string(str_replace(" ","_",$_GET['pageID'])); // or use add_slashes().
    
    // if the value is numeric then you have to do more checks.  And even more if you have passed a string.
}

Link to comment
Share on other sites
tastro Member

tastro

Posted
Posted

also the easiest way to prevent "hackers" from doing stupid things via $_GET is to simply add an char restriction on it. so that you define which chars should be allowed to input and which ones not. or at least addslashes() before you put the $_GET into your database.

Link to comment
Share on other sites
cyberRobot Prolific Member

cyberRobot

Posted
Posted

also the easiest way to prevent "hackers" from doing stupid things via $_GET is to simply add an char restriction on it. so that you define which chars should be allowed to input and which ones not. or at least addslashes() before you put the $_GET into your database.

 

 

mysql_real_escape_string() is what you want to use before utilizing variables to interacte with a database:

http://php.net/manual/en/function.mysql-real-escape-string.php

 

That and validating the data.

Link to comment
Share on other sites
tastro Member

tastro

Posted
Posted

also the easiest way to prevent "hackers" from doing stupid things via $_GET is to simply add an char restriction on it. so that you define which chars should be allowed to input and which ones not. or at least addslashes() before you put the $_GET into your database.

 

 

mysql_real_escape_string() is what you want to use before utilizing variables to interacte with a database:

http://php.net/manual/en/function.mysql-real-escape-string.php

 

That and validating the data.

 

that only helps if he uses mysql as his database.

Link to comment
Share on other sites
KevinM1 Advanced Member

KevinM1

Posted
Posted

also the easiest way to prevent "hackers" from doing stupid things via $_GET is to simply add an char restriction on it. so that you define which chars should be allowed to input and which ones not. or at least addslashes() before you put the $_GET into your database.

 

 

mysql_real_escape_string() is what you want to use before utilizing variables to interacte with a database:

http://php.net/manual/en/function.mysql-real-escape-string.php

 

That and validating the data.

 

that only helps if he uses mysql as his database.

 

If it's not, then he should use the correct escaping method used by his database.  Or, parameterized queries.  addslashes does nothing for security.

Link to comment
Share on other sites
tastro Member

tastro

Posted
Posted

also the easiest way to prevent "hackers" from doing stupid things via $_GET is to simply add an char restriction on it. so that you define which chars should be allowed to input and which ones not. or at least addslashes() before you put the $_GET into your database.

 

 

mysql_real_escape_string() is what you want to use before utilizing variables to interacte with a database:

http://php.net/manual/en/function.mysql-real-escape-string.php

 

That and validating the data.

 

that only helps if he uses mysql as his database.

 

If it's not, then he should use the correct escaping method used by his database.  Or, parameterized queries.  addslashes does nothing for security.

 

ye... still the best way i think is that he defines which chars can be inputed and which not. with preg_match or preg_replace

 

example for preg_match - also if it matches some chars which are not allowed then the script should stop

 

if(preg_match("@[^a-z0-9]@i",$your_string)){die('ERROR: only this chars are allowed: a-z and 0-9');}

 

or just simply preg_replace without an error.

Link to comment
Share on other sites
flappy_warbucks Newbie

flappy_warbucks

Posted
Posted

 

if(preg_match("@[^a-z0-9]@i",$your_string)){die('ERROR: only this chars are allowed: a-z and 0-9');}

 

or just simply preg_replace without an error.

 

Personally, i would not give such a specific error.  Especially if the link was auto-generated.

 

The only thing i use get for is navigation.  So this means i only use numbers (which for me is easy to sanitize):

if (strlen($preload->gets['pageID']) > 2 && !is_numeric($preload->gets['pageID']))
{
    // no information.  Just a "Whoops, i made a boo boo".
    $errors->compile_report($_SERVER['PHP_SELF']); // this will call all global vars, and output an error log.  Then forward the user to a error page with a reference number.
}

 

If i can help it.  I never give off any information as to what the script was expecting.

 

I love OOP.  It just makes life easier :)

Link to comment
Share on other sites
tastro Member

tastro

Posted
Posted

 

if(preg_match("@[^a-z0-9]@i",$your_string)){die('ERROR: only this chars are allowed: a-z and 0-9');}

 

or just simply preg_replace without an error.

 

Personally, i would not give such a specific error.  Especially if the link was auto-generated.

 

The only thing i use get for is navigation.  So this means i only use numbers (which for me is easy to sanitize):

if (strlen($preload->gets['pageID']) > 2 && !is_numeric($preload->gets['pageID']))
{
    // no information.  Just a "Whoops, i made a boo boo".
    $errors->compile_report($_SERVER['PHP_SELF']); // this will call all global vars, and output an error log.  Then forward the user to a error page with a reference number.
}

 

If i can help it.  I never give off any information as to what the script was expecting.

 

I love OOP.  It just makes life easier :)

 

it depends on where you need the script. if this is a "create a new user page" then the error should be displayed so that the user knows what he did wrong, but like you said, if this is something like a "hidden" input then it's better without an error yes.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.