Using $_GET
Moderator: General Moderators
Using $_GET
what are the security measures when using $_GET values?
for instance what if I wanted to pass thread_id numbers through the url?
for instance what if I wanted to pass thread_id numbers through the url?
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Ah, that's a little too paranoid.
$_GET is one method in which users can give your application data to process (the other is $_POST). This is perfectly fine, and absolutely necessary. What you do with this data, however, is another matter: as superdezign comments, never trust user input; always validate and escape it as necessary. Also, do not use $_GET to trigger application actions, such as deleting a post, etc.
$_GET is one method in which users can give your application data to process (the other is $_POST). This is perfectly fine, and absolutely necessary. What you do with this data, however, is another matter: as superdezign comments, never trust user input; always validate and escape it as necessary. Also, do not use $_GET to trigger application actions, such as deleting a post, etc.
- Josh1billion
- Forum Contributor
- Posts: 316
- Joined: Tue Sep 11, 2007 3:25 pm
When using $_GET, you should "sanitize" the data (that is, make it safe). Here are three functions you use to do that:
Here are the three functions
- intval() [on integers, to make sure that the value is an integer.. this function turns anything you send to it into an integer. So you can use this in spots where the $_GET variable passed is supposed to be an integer]
- mysql_real_escape_string() [on strings that you are passing to a MySQL query, to protect against a security breach known as "SQL injection" (google it or wikipedia it for more info)]
- strip_tags() [on strings that you will be printing to the screen, so that people can't enter HTML code.. because bad things can happen sometimes if they do.. such as XSS attacks (google that too if you want)]
Oh, and on a sort-of-related note, you should have a little PHP option known as "register globals" off. Google it to find out why. But if you are always careful with your code (always initializing your variables), this option won't matter at all-- but sooner or later, everyone makes a small mistake somewhere, so having "register globals" off is very helpful in case you do mess up.
Here are the three functions
- intval() [on integers, to make sure that the value is an integer.. this function turns anything you send to it into an integer. So you can use this in spots where the $_GET variable passed is supposed to be an integer]
- mysql_real_escape_string() [on strings that you are passing to a MySQL query, to protect against a security breach known as "SQL injection" (google it or wikipedia it for more info)]
- strip_tags() [on strings that you will be printing to the screen, so that people can't enter HTML code.. because bad things can happen sometimes if they do.. such as XSS attacks (google that too if you want)]
Oh, and on a sort-of-related note, you should have a little PHP option known as "register globals" off. Google it to find out why. But if you are always careful with your code (always initializing your variables), this option won't matter at all-- but sooner or later, everyone makes a small mistake somewhere, so having "register globals" off is very helpful in case you do mess up.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Technically intval() would be used for filtering, is_int() for validation, and mysql_real_escape_string() for escaping. Those (filtering, validation and escaping) are the three general steps in processing input securely.Ambush Commander wrote:While they are useful functions (except striptags, which should be avoided like the plague), they should not be conflated. intval() is used for validation and mysql_real_escape_string is used for escaping. They are two different topics, and must be treated differently.
(#10850)
- Josh1billion
- Forum Contributor
- Posts: 316
- Joined: Tue Sep 11, 2007 3:25 pm
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
It is insecure due to the fact that it doesn't validate attributes, doesn't balance tags and does a poor job of parsing malformed tags. There are only a few legitimate uses for the function (such as converting HTML input into a textual representation), but should not be used for anything security related.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
If you want to include limited HTML tags like bold, anchors and other simple goodies (in comments, etc...) you have to clean your input on the way in. As AC mentioned, you'll need to do tag and attribute whitelisting, as well as tag balancing. It sounds like a bit of a pain, but I'm sure there's existing code out there already.
Check out "Building Scalable Web Sites" from O'Reilly - it has an entire chapter on input cleansing and is generally an amazing book. One of the few books it's worth buying new, but as it's a few years old now (but certainly not outdated) you may be able to pick it up for a song.
Browse through the Wordpress source as a last resort, as I seem to remember this being a feature in their comments.
Check out "Building Scalable Web Sites" from O'Reilly - it has an entire chapter on input cleansing and is generally an amazing book. One of the few books it's worth buying new, but as it's a few years old now (but certainly not outdated) you may be able to pick it up for a song.
Browse through the Wordpress source as a last resort, as I seem to remember this being a feature in their comments.
Two steps. FIEO. Filter input; escape output.Technically intval() would be used for filtering, is_int() for validation, and mysql_real_escape_string() for escaping. Those (filtering, validation and escaping) are the three general steps in processing input securely.
Technically, intval() is normalizing. Filtering is the act of inspecting data to be sure it's valid (validation), and only allowing valid data to enter. Normalizing is "to make regular and consistent."
Be careful about is_int(). Yes, it's a validation function, but it inspects the data type, not the data. For example, anything from $_GET or $_POST is going to fail an is_int() check, regardless of what the data is.
Hope this helps.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
::cough:: HTML Purifier ::cough::If you want to include limited HTML tags like bold, anchors and other simple goodies (in comments, etc...) you have to clean your input on the way in. As AC mentioned, you'll need to do tag and attribute whitelisting, as well as tag balancing. It sounds like a bit of a pain, but I'm sure there's existing code out there already.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
I am an idiotAmbush Commander wrote:::cough:: HTML Purifier ::cough::If you want to include limited HTML tags like bold, anchors and other simple goodies (in comments, etc...) you have to clean your input on the way in. As AC mentioned, you'll need to do tag and attribute whitelisting, as well as tag balancing. It sounds like a bit of a pain, but I'm sure there's existing code out there already.
Have a look at htmLawed, a highly customizable, 45 kb, single file, non-OOP PHP script to filter and purify HTML. Besides restricting tags/elements, attributes and URL protocols as per one's specification, and balancing HTML tags and ensuring valid tag nesting/well-formedness, it also has good anti-XSS and anti-spam measures.