Using $_GET

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
arpowers
Forum Commoner
Posts: 76
Joined: Sun Oct 14, 2007 10:05 pm
Location: san diego, ca

Using $_GET

Post by arpowers »

what are the security measures when using $_GET values?

for instance what if I wanted to pass thread_id numbers through the url?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

GET values are user input. NEVER trust user input. Anything could go wrong, so be sure not to let it.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Ah, that's a little too paranoid.

$_GET is one method in which users can give your application data to process (the other is $_POST). This is perfectly fine, and absolutely necessary. What you do with this data, however, is another matter: as superdezign comments, never trust user input; always validate and escape it as necessary. Also, do not use $_GET to trigger application actions, such as deleting a post, etc.
User avatar
Josh1billion
Forum Contributor
Posts: 316
Joined: Tue Sep 11, 2007 3:25 pm

Post by Josh1billion »

When using $_GET, you should "sanitize" the data (that is, make it safe). Here are three functions you use to do that:

Here are the three functions

- intval() [on integers, to make sure that the value is an integer.. this function turns anything you send to it into an integer. So you can use this in spots where the $_GET variable passed is supposed to be an integer]

- mysql_real_escape_string() [on strings that you are passing to a MySQL query, to protect against a security breach known as "SQL injection" (google it or wikipedia it for more info)]

- strip_tags() [on strings that you will be printing to the screen, so that people can't enter HTML code.. because bad things can happen sometimes if they do.. such as XSS attacks (google that too if you want)]

Oh, and on a sort-of-related note, you should have a little PHP option known as "register globals" off. Google it to find out why. But if you are always careful with your code (always initializing your variables), this option won't matter at all-- but sooner or later, everyone makes a small mistake somewhere, so having "register globals" off is very helpful in case you do mess up.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

While they are useful functions (except striptags, which should be avoided like the plague), they should not be conflated. intval() is used for validation and mysql_real_escape_string is used for escaping. They are two different topics, and must be treated differently.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Ambush Commander wrote:While they are useful functions (except striptags, which should be avoided like the plague), they should not be conflated. intval() is used for validation and mysql_real_escape_string is used for escaping. They are two different topics, and must be treated differently.
Technically intval() would be used for filtering, is_int() for validation, and mysql_real_escape_string() for escaping. Those (filtering, validation and escaping) are the three general steps in processing input securely.
(#10850)
User avatar
arpowers
Forum Commoner
Posts: 76
Joined: Sun Oct 14, 2007 10:05 pm
Location: san diego, ca

Post by arpowers »

You guys are awesome....
I love how everybody is helpful here.


Just letting you know that I learned from the discussion:) thanks for the replies.
User avatar
Josh1billion
Forum Contributor
Posts: 316
Joined: Tue Sep 11, 2007 3:25 pm

Post by Josh1billion »

Ambush Commander wrote:striptags, which should be avoided like the plague
Why's that?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

It is insecure due to the fact that it doesn't validate attributes, doesn't balance tags and does a poor job of parsing malformed tags. There are only a few legitimate uses for the function (such as converting HTML input into a textual representation), but should not be used for anything security related.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

FYI, htmlspecialchars() is the function of choice when outputting, instead of striptags().
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

If you want to include limited HTML tags like bold, anchors and other simple goodies (in comments, etc...) you have to clean your input on the way in. As AC mentioned, you'll need to do tag and attribute whitelisting, as well as tag balancing. It sounds like a bit of a pain, but I'm sure there's existing code out there already.

Check out "Building Scalable Web Sites" from O'Reilly - it has an entire chapter on input cleansing and is generally an amazing book. One of the few books it's worth buying new, but as it's a few years old now (but certainly not outdated) you may be able to pick it up for a song.

Browse through the Wordpress source as a last resort, as I seem to remember this being a feature in their comments.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

Technically intval() would be used for filtering, is_int() for validation, and mysql_real_escape_string() for escaping. Those (filtering, validation and escaping) are the three general steps in processing input securely.
Two steps. FIEO. Filter input; escape output.

Technically, intval() is normalizing. Filtering is the act of inspecting data to be sure it's valid (validation), and only allowing valid data to enter. Normalizing is "to make regular and consistent."

Be careful about is_int(). Yes, it's a validation function, but it inspects the data type, not the data. For example, anything from $_GET or $_POST is going to fail an is_int() check, regardless of what the data is.

Hope this helps.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

If you want to include limited HTML tags like bold, anchors and other simple goodies (in comments, etc...) you have to clean your input on the way in. As AC mentioned, you'll need to do tag and attribute whitelisting, as well as tag balancing. It sounds like a bit of a pain, but I'm sure there's existing code out there already.
::cough:: HTML Purifier ::cough::
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

Ambush Commander wrote:
If you want to include limited HTML tags like bold, anchors and other simple goodies (in comments, etc...) you have to clean your input on the way in. As AC mentioned, you'll need to do tag and attribute whitelisting, as well as tag balancing. It sounds like a bit of a pain, but I'm sure there's existing code out there already.
::cough:: HTML Purifier ::cough::
I am an idiot :rofl:
alpha2zee
Forum Newbie
Posts: 2
Joined: Wed Nov 07, 2007 3:07 pm

Post by alpha2zee »

Have a look at htmLawed, a highly customizable, 45 kb, single file, non-OOP PHP script to filter and purify HTML. Besides restricting tags/elements, attributes and URL protocols as per one's specification, and balancing HTML tags and ensuring valid tag nesting/well-formedness, it also has good anti-XSS and anti-spam measures.
Post Reply