Page 1 of 2

Using $_GET

Posted: Sat Oct 20, 2007 3:33 pm
by arpowers
what are the security measures when using $_GET values?

for instance what if I wanted to pass thread_id numbers through the url?

Posted: Sat Oct 20, 2007 4:13 pm
by superdezign
GET values are user input. NEVER trust user input. Anything could go wrong, so be sure not to let it.

Posted: Sat Oct 20, 2007 4:50 pm
by Ambush Commander
Ah, that's a little too paranoid.

$_GET is one method in which users can give your application data to process (the other is $_POST). This is perfectly fine, and absolutely necessary. What you do with this data, however, is another matter: as superdezign comments, never trust user input; always validate and escape it as necessary. Also, do not use $_GET to trigger application actions, such as deleting a post, etc.

Posted: Sat Oct 20, 2007 7:43 pm
by Josh1billion
When using $_GET, you should "sanitize" the data (that is, make it safe). Here are three functions you use to do that:

Here are the three functions

- intval() [on integers, to make sure that the value is an integer.. this function turns anything you send to it into an integer. So you can use this in spots where the $_GET variable passed is supposed to be an integer]

- mysql_real_escape_string() [on strings that you are passing to a MySQL query, to protect against a security breach known as "SQL injection" (google it or wikipedia it for more info)]

- strip_tags() [on strings that you will be printing to the screen, so that people can't enter HTML code.. because bad things can happen sometimes if they do.. such as XSS attacks (google that too if you want)]

Oh, and on a sort-of-related note, you should have a little PHP option known as "register globals" off. Google it to find out why. But if you are always careful with your code (always initializing your variables), this option won't matter at all-- but sooner or later, everyone makes a small mistake somewhere, so having "register globals" off is very helpful in case you do mess up.

Posted: Sat Oct 20, 2007 10:21 pm
by Ambush Commander
While they are useful functions (except striptags, which should be avoided like the plague), they should not be conflated. intval() is used for validation and mysql_real_escape_string is used for escaping. They are two different topics, and must be treated differently.

Posted: Sat Oct 20, 2007 10:27 pm
by Christopher
Ambush Commander wrote:While they are useful functions (except striptags, which should be avoided like the plague), they should not be conflated. intval() is used for validation and mysql_real_escape_string is used for escaping. They are two different topics, and must be treated differently.
Technically intval() would be used for filtering, is_int() for validation, and mysql_real_escape_string() for escaping. Those (filtering, validation and escaping) are the three general steps in processing input securely.

Posted: Sun Oct 21, 2007 12:55 am
by arpowers
You guys are awesome....
I love how everybody is helpful here.


Just letting you know that I learned from the discussion:) thanks for the replies.

Posted: Sun Oct 21, 2007 9:01 am
by Josh1billion
Ambush Commander wrote:striptags, which should be avoided like the plague
Why's that?

Posted: Sun Oct 21, 2007 12:16 pm
by Ambush Commander
It is insecure due to the fact that it doesn't validate attributes, doesn't balance tags and does a poor job of parsing malformed tags. There are only a few legitimate uses for the function (such as converting HTML input into a textual representation), but should not be used for anything security related.

Posted: Sun Oct 21, 2007 4:21 pm
by John Cartwright
FYI, htmlspecialchars() is the function of choice when outputting, instead of striptags().

Posted: Sun Oct 21, 2007 7:23 pm
by Kieran Huggins
If you want to include limited HTML tags like bold, anchors and other simple goodies (in comments, etc...) you have to clean your input on the way in. As AC mentioned, you'll need to do tag and attribute whitelisting, as well as tag balancing. It sounds like a bit of a pain, but I'm sure there's existing code out there already.

Check out "Building Scalable Web Sites" from O'Reilly - it has an entire chapter on input cleansing and is generally an amazing book. One of the few books it's worth buying new, but as it's a few years old now (but certainly not outdated) you may be able to pick it up for a song.

Browse through the Wordpress source as a last resort, as I seem to remember this being a feature in their comments.

Posted: Sun Oct 21, 2007 9:33 pm
by shiflett
Technically intval() would be used for filtering, is_int() for validation, and mysql_real_escape_string() for escaping. Those (filtering, validation and escaping) are the three general steps in processing input securely.
Two steps. FIEO. Filter input; escape output.

Technically, intval() is normalizing. Filtering is the act of inspecting data to be sure it's valid (validation), and only allowing valid data to enter. Normalizing is "to make regular and consistent."

Be careful about is_int(). Yes, it's a validation function, but it inspects the data type, not the data. For example, anything from $_GET or $_POST is going to fail an is_int() check, regardless of what the data is.

Hope this helps.

Posted: Sun Oct 21, 2007 10:23 pm
by Ambush Commander
If you want to include limited HTML tags like bold, anchors and other simple goodies (in comments, etc...) you have to clean your input on the way in. As AC mentioned, you'll need to do tag and attribute whitelisting, as well as tag balancing. It sounds like a bit of a pain, but I'm sure there's existing code out there already.
::cough:: HTML Purifier ::cough::

Posted: Mon Oct 22, 2007 12:18 am
by Kieran Huggins
Ambush Commander wrote:
If you want to include limited HTML tags like bold, anchors and other simple goodies (in comments, etc...) you have to clean your input on the way in. As AC mentioned, you'll need to do tag and attribute whitelisting, as well as tag balancing. It sounds like a bit of a pain, but I'm sure there's existing code out there already.
::cough:: HTML Purifier ::cough::
I am an idiot :rofl:

Posted: Wed Nov 07, 2007 3:37 pm
by alpha2zee
Have a look at htmLawed, a highly customizable, 45 kb, single file, non-OOP PHP script to filter and purify HTML. Besides restricting tags/elements, attributes and URL protocols as per one's specification, and balancing HTML tags and ensuring valid tag nesting/well-formedness, it also has good anti-XSS and anti-spam measures.