Page 1 of 1

how to protect $_GET["act"] - php ?

Posted: Fri Sep 07, 2012 12:02 pm
by mekha
hi guys,
i have this link:
xxxxxxx.com/form.php?act=add
how do i protect the $_GET["act"]; ?
i tryed:
$mysqli->real_escape_string($_GET["act"]);

and when i write:
xxxxxxx.com/form.php?act=add""""

there is problems in the page....
i tryed too:
mysql_real_escape_string($_GET["act"]);
and there is php errors...variables undefined....
how can i protect $_GET["act"]?

Re: how to protect $_GET["act"] - php ?

Posted: Fri Sep 07, 2012 12:26 pm
by Celauran
Define an array of acceptable values to check against.

Code: Select all

$actions = array('add', 'edit', 'delete');
if (isset($_GET['act'] && in_array($_GET['act'], $actions))
{
    // do stuff
}

Re: how to protect $_GET["act"] - php ?

Posted: Fri Sep 07, 2012 12:31 pm
by mekha
no results :S...
$actions = array('add', 'edit', 'delete');
if (isset($_GET['act']) && in_array($_GET['act'], $actions))
{
$act = $_GET["act"];
}
///////////
if i write a QUOTE in the url like this: xxxx.com/form.php?act=add'
there are a problem!... i want it clean

Re: how to protect $_GET["act"] - php ?

Posted: Fri Sep 07, 2012 4:18 pm
by social_experiment
mekha wrote:there are a problem!... i want it clean
By 'clean' do you mean without anything except the value you pass along in the query string? As Celauran suggests you can check the value that you receive from the query string against values in an array or you can have a predefined statement like the one below

Code: Select all

<?php
if ($_GET['act'] != '' && $_GET['act'] == 'add')
?>
What errors do you receive when executing the code

Re: how to protect $_GET["act"] - php ?

Posted: Sat Sep 08, 2012 12:08 am
by mekha
aha...ok great man, thank you celauran and socual_experiment.....with your suggestions i've solved my problem :D