ansaurus

Question

PHP safe $_GET or not

Answer 1

+6 A:

The switch thing is okay, because you are comparing against a hard-coded value (however, it's case "show": btw).

The second thing is potentially dangerous, as it would be possible to inject HTML and more importantly, JavaScript into the document body. You should apply a htmlspecialchars() on the variable before echoing it.

Pekka 2010-08-02 15:04:15

Didn't notice he was using switch to filter stuff + 1

Sarfraz 2010-08-02 15:06:37

I tend to go further and validate `$_GET['action']` against a list of expected actions, failing out if it's not one of them

Michael Mrozek 2010-08-02 15:07:37

@Michael good point. @Ignatz be sure to have a `default:` case in your switch.

Pekka 2010-08-02 15:14:35

@Pekka thank you man!

Happy 2010-08-02 15:20:35

Answer 2

+1 A:

PHP $_GET by itself is insecure, it can be exploited in several areas, for a good reading and examples I recommend you to read this article

http://articles.sitepoint.com/article/php-security-blunders

Flakron Bytyqi 2010-08-02 15:05:01

Bullshit. $_GET is not "insecure by itself". It contains data that could be manipulated, but as long as that data is not used stupidly, that is *not* a security risk.

Pekka 2010-08-02 15:05:40

my bad, excuse me

Flakron Bytyqi 2010-08-02 15:06:46

@Flakron the link you post to is a good resource nevertheless, and those blunders tend to happen often.

Pekka 2010-08-02 15:07:18

You should clarify that it's not $_GET that is insecure, but the values in $_GET that you can't rely on being valid.

HoLyVieR 2010-08-02 15:09:11

@Pekka That's somewhat debatable; most of the "PHP blunders" seem to be standard web security problems that have nothing to do with PHP

Michael Mrozek 2010-08-02 15:09:12

@Michael definitely. The blunders are not specific to PHP (although other platforms do a better job of filtering out some attacks). But the article is worth a read for every PHP newbie.

Pekka 2010-08-02 15:10:55

Answer 3

A:

Yes, as mentioned, you must validate the value of any $_GET variable before using it blindly. But...

You should also be checking that it even exists before using it. Depending on how you have error_reporting() set on your server, if you try to use $_GET['action'] and ?action=something has not been specified in the URL then you'll get an E_NOTICE - Undefined index : action, which will either pollute your error logs or worse, appear in the browser.

$urlAction = isset($_GET['action']) ? $_GET['action'] : null;

if (isset($urlAction)) {
  // Rest of validation...
}

w3d 2010-08-02 16:01:48

Answer 4

+1 A:

Sometimes when i have alot of begginers create plugins or moduldes for a site i use something like...

foreach($_GET as $key=>$value) {
  if(functions_exists('clean_get_'.$key)) {
    $_GET[$key]=call_user_func('clean_get_'.$key,$value);
  } else {
    unset($_GET[$key];
  }
}

... and all the get and post values are 'magically' cleaned or removed so i don't need to worry about someone elses sql-injectable plugin.

Or, if you are a fan of lazy-loading ...

   foreach($_GET as $key=>$value) {
      if(is_file('clean_get_'.$key.'.php')) {
        include_once('clean_get_'.$key.'.php');
        if(functions_exists('clean_get_'.$key)) {
          $_GET[$key]=call_user_func('clean_get_'.$key,$value); 
        } else {
          unset($_GET[$key]);
        }
      } else {
        unset($_GET[$key];
      }
    }

ps. code was written here directly, mistakes are probable!

vlad b. 2010-08-02 16:04:34

ansaurus

tags:

views:

answers:

PHP safe $_GET or not

related questions